1 /* 2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.math.BigInteger; 29 import java.security.*; 30 import java.security.spec.*; 31 import java.util.Collection; 32 import java.util.Date; 33 import java.util.List; 34 import javax.security.auth.x500.X500Principal; 35 36 import sun.security.x509.X509CertImpl; 37 import sun.security.util.SignatureUtil; 38 39 /** 40 * <p> 41 * Abstract class for X.509 certificates. This provides a standard 42 * way to access all the attributes of an X.509 certificate. 43 * <p> 44 * In June of 1996, the basic X.509 v3 format was completed by 45 * ISO/IEC and ANSI X9, which is described below in ASN.1: 46 * <pre> 47 * Certificate ::= SEQUENCE { 48 * tbsCertificate TBSCertificate, 49 * signatureAlgorithm AlgorithmIdentifier, 50 * signature BIT STRING } 51 * </pre> 52 * <p> 53 * These certificates are widely used to support authentication and 54 * other functionality in Internet security systems. Common applications 55 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 56 * code signing for trusted software distribution, and Secure Electronic 57 * Transactions (SET). 58 * <p> 59 * These certificates are managed and vouched for by <em>Certificate 60 * Authorities</em> (CAs). CAs are services which create certificates by 61 * placing data in the X.509 standard format and then digitally signing 62 * that data. CAs act as trusted third parties, making introductions 63 * between principals who have no direct knowledge of each other. 64 * CA certificates are either signed by themselves, or by some other 65 * CA such as a "root" CA. 66 * <p> 67 * More information can be found in 68 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 69 * Public Key Infrastructure Certificate and CRL Profile</a>. 70 * <p> 71 * The ASN.1 definition of {@code tbsCertificate} is: 72 * <pre> 73 * TBSCertificate ::= SEQUENCE { 74 * version [0] EXPLICIT Version DEFAULT v1, 75 * serialNumber CertificateSerialNumber, 76 * signature AlgorithmIdentifier, 77 * issuer Name, 78 * validity Validity, 79 * subject Name, 80 * subjectPublicKeyInfo SubjectPublicKeyInfo, 81 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 82 * -- If present, version must be v2 or v3 83 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 84 * -- If present, version must be v2 or v3 85 * extensions [3] EXPLICIT Extensions OPTIONAL 86 * -- If present, version must be v3 87 * } 88 * </pre> 89 * <p> 90 * Certificates are instantiated using a certificate factory. The following is 91 * an example of how to instantiate an X.509 certificate: 92 * <pre> 93 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) { 94 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 95 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); 96 * } 97 * </pre> 98 * 99 * @author Hemma Prafullchandra 100 * @since 1.2 101 * 102 * 103 * @see Certificate 104 * @see CertificateFactory 105 * @see X509Extension 106 */ 107 108 public abstract class X509Certificate extends Certificate 109 implements X509Extension { 110 111 private static final long serialVersionUID = -2491127588187038216L; 112 113 private transient X500Principal subjectX500Principal, issuerX500Principal; 114 115 /** 116 * Constructor for X.509 certificates. 117 */ 118 protected X509Certificate() { 119 super("X.509"); 120 } 121 122 /** 123 * Checks that the certificate is currently valid. It is if 124 * the current date and time are within the validity period given in the 125 * certificate. 126 * <p> 127 * The validity period consists of two date/time values: 128 * the first and last dates (and times) on which the certificate 129 * is valid. It is defined in 130 * ASN.1 as: 131 * <pre> 132 * validity Validity 133 * 134 * Validity ::= SEQUENCE { 135 * notBefore CertificateValidityDate, 136 * notAfter CertificateValidityDate } 137 * 138 * CertificateValidityDate ::= CHOICE { 139 * utcTime UTCTime, 140 * generalTime GeneralizedTime } 141 * </pre> 142 * 143 * @exception CertificateExpiredException if the certificate has expired. 144 * @exception CertificateNotYetValidException if the certificate is not 145 * yet valid. 146 */ 147 public abstract void checkValidity() 148 throws CertificateExpiredException, CertificateNotYetValidException; 149 150 /** 151 * Checks that the given date is within the certificate's 152 * validity period. In other words, this determines whether the 153 * certificate would be valid at the given date/time. 154 * 155 * @param date the Date to check against to see if this certificate 156 * is valid at that date/time. 157 * 158 * @exception CertificateExpiredException if the certificate has expired 159 * with respect to the {@code date} supplied. 160 * @exception CertificateNotYetValidException if the certificate is not 161 * yet valid with respect to the {@code date} supplied. 162 * 163 * @see #checkValidity() 164 */ 165 public abstract void checkValidity(Date date) 166 throws CertificateExpiredException, CertificateNotYetValidException; 167 168 /** 169 * Gets the {@code version} (version number) value from the 170 * certificate. 171 * The ASN.1 definition for this is: 172 * <pre> 173 * version [0] EXPLICIT Version DEFAULT v1 174 * 175 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 176 * </pre> 177 * @return the version number, i.e. 1, 2 or 3. 178 */ 179 public abstract int getVersion(); 180 181 /** 182 * Gets the {@code serialNumber} value from the certificate. 183 * The serial number is an integer assigned by the certification 184 * authority to each certificate. It must be unique for each 185 * certificate issued by a given CA (i.e., the issuer name and 186 * serial number identify a unique certificate). 187 * The ASN.1 definition for this is: 188 * <pre> 189 * serialNumber CertificateSerialNumber 190 * 191 * CertificateSerialNumber ::= INTEGER 192 * </pre> 193 * 194 * @return the serial number. 195 */ 196 public abstract BigInteger getSerialNumber(); 197 198 /** 199 * <strong>Denigrated</strong>, replaced by {@linkplain 200 * #getIssuerX500Principal()}. This method returns the {@code issuer} 201 * as an implementation specific Principal object, which should not be 202 * relied upon by portable code. 203 * 204 * <p> 205 * Gets the {@code issuer} (issuer distinguished name) value from 206 * the certificate. The issuer name identifies the entity that signed (and 207 * issued) the certificate. 208 * 209 * <p>The issuer name field contains an 210 * X.500 distinguished name (DN). 211 * The ASN.1 definition for this is: 212 * <pre> 213 * issuer Name 214 * 215 * Name ::= CHOICE { RDNSequence } 216 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 217 * RelativeDistinguishedName ::= 218 * SET OF AttributeValueAssertion 219 * 220 * AttributeValueAssertion ::= SEQUENCE { 221 * AttributeType, 222 * AttributeValue } 223 * AttributeType ::= OBJECT IDENTIFIER 224 * AttributeValue ::= ANY 225 * </pre> 226 * The {@code Name} describes a hierarchical name composed of 227 * attributes, 228 * such as country name, and corresponding values, such as US. 229 * The type of the {@code AttributeValue} component is determined by 230 * the {@code AttributeType}; in general it will be a 231 * {@code directoryString}. A {@code directoryString} is usually 232 * one of {@code PrintableString}, 233 * {@code TeletexString} or {@code UniversalString}. 234 * 235 * @return a Principal whose name is the issuer distinguished name. 236 */ 237 public abstract Principal getIssuerDN(); 238 239 /** 240 * Returns the issuer (issuer distinguished name) value from the 241 * certificate as an {@code X500Principal}. 242 * <p> 243 * It is recommended that subclasses override this method. 244 * 245 * @return an {@code X500Principal} representing the issuer 246 * distinguished name 247 * @since 1.4 248 */ 249 public X500Principal getIssuerX500Principal() { 250 if (issuerX500Principal == null) { 251 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this); 252 } 253 return issuerX500Principal; 254 } 255 256 /** 257 * <strong>Denigrated</strong>, replaced by {@linkplain 258 * #getSubjectX500Principal()}. This method returns the {@code subject} 259 * as an implementation specific Principal object, which should not be 260 * relied upon by portable code. 261 * 262 * <p> 263 * Gets the {@code subject} (subject distinguished name) value 264 * from the certificate. If the {@code subject} value is empty, 265 * then the {@code getName()} method of the returned 266 * {@code Principal} object returns an empty string (""). 267 * 268 * <p> The ASN.1 definition for this is: 269 * <pre> 270 * subject Name 271 * </pre> 272 * 273 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 274 * and other relevant definitions. 275 * 276 * @return a Principal whose name is the subject name. 277 */ 278 public abstract Principal getSubjectDN(); 279 280 /** 281 * Returns the subject (subject distinguished name) value from the 282 * certificate as an {@code X500Principal}. If the subject value 283 * is empty, then the {@code getName()} method of the returned 284 * {@code X500Principal} object returns an empty string (""). 285 * <p> 286 * It is recommended that subclasses override this method. 287 * 288 * @return an {@code X500Principal} representing the subject 289 * distinguished name 290 * @since 1.4 291 */ 292 public X500Principal getSubjectX500Principal() { 293 if (subjectX500Principal == null) { 294 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this); 295 } 296 return subjectX500Principal; 297 } 298 299 /** 300 * Gets the {@code notBefore} date from the validity period of 301 * the certificate. 302 * The relevant ASN.1 definitions are: 303 * <pre> 304 * validity Validity 305 * 306 * Validity ::= SEQUENCE { 307 * notBefore CertificateValidityDate, 308 * notAfter CertificateValidityDate } 309 * 310 * CertificateValidityDate ::= CHOICE { 311 * utcTime UTCTime, 312 * generalTime GeneralizedTime } 313 * </pre> 314 * 315 * @return the start date of the validity period. 316 * @see #checkValidity 317 */ 318 public abstract Date getNotBefore(); 319 320 /** 321 * Gets the {@code notAfter} date from the validity period of 322 * the certificate. See {@link #getNotBefore() getNotBefore} 323 * for relevant ASN.1 definitions. 324 * 325 * @return the end date of the validity period. 326 * @see #checkValidity 327 */ 328 public abstract Date getNotAfter(); 329 330 /** 331 * Gets the DER-encoded certificate information, the 332 * {@code tbsCertificate} from this certificate. 333 * This can be used to verify the signature independently. 334 * 335 * @return the DER-encoded certificate information. 336 * @exception CertificateEncodingException if an encoding error occurs. 337 */ 338 public abstract byte[] getTBSCertificate() 339 throws CertificateEncodingException; 340 341 /** 342 * Gets the {@code signature} value (the raw signature bits) from 343 * the certificate. 344 * The ASN.1 definition for this is: 345 * <pre> 346 * signature BIT STRING 347 * </pre> 348 * 349 * @return the signature. 350 */ 351 public abstract byte[] getSignature(); 352 353 /** 354 * Gets the signature algorithm name for the certificate 355 * signature algorithm. An example is the string "SHA256withRSA". 356 * The ASN.1 definition for this is: 357 * <pre> 358 * signatureAlgorithm AlgorithmIdentifier 359 * 360 * AlgorithmIdentifier ::= SEQUENCE { 361 * algorithm OBJECT IDENTIFIER, 362 * parameters ANY DEFINED BY algorithm OPTIONAL } 363 * -- contains a value of the type 364 * -- registered for use with the 365 * -- algorithm object identifier value 366 * </pre> 367 * 368 * <p>The algorithm name is determined from the {@code algorithm} 369 * OID string. 370 * 371 * @return the signature algorithm name. 372 */ 373 public abstract String getSigAlgName(); 374 375 /** 376 * Gets the signature algorithm OID string from the certificate. 377 * An OID is represented by a set of nonnegative whole numbers separated 378 * by periods. 379 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 380 * with DSA signature algorithm defined in 381 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 382 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 383 * and CRL Profile</a>. 384 * 385 * <p>See {@link #getSigAlgName() getSigAlgName} for 386 * relevant ASN.1 definitions. 387 * 388 * @return the signature algorithm OID string. 389 */ 390 public abstract String getSigAlgOID(); 391 392 /** 393 * Gets the DER-encoded signature algorithm parameters from this 394 * certificate's signature algorithm. In most cases, the signature 395 * algorithm parameters are null; the parameters are usually 396 * supplied with the certificate's public key. 397 * If access to individual parameter values is needed then use 398 * {@link java.security.AlgorithmParameters AlgorithmParameters} 399 * and instantiate with the name returned by 400 * {@link #getSigAlgName() getSigAlgName}. 401 * 402 * <p>See {@link #getSigAlgName() getSigAlgName} for 403 * relevant ASN.1 definitions. 404 * 405 * @return the DER-encoded signature algorithm parameters, or 406 * null if no parameters are present. 407 */ 408 public abstract byte[] getSigAlgParams(); 409 410 /** 411 * Gets the {@code issuerUniqueID} value from the certificate. 412 * The issuer unique identifier is present in the certificate 413 * to handle the possibility of reuse of issuer names over time. 414 * RFC 5280 recommends that names not be reused and that 415 * conforming certificates not make use of unique identifiers. 416 * Applications conforming to that profile should be capable of 417 * parsing unique identifiers and making comparisons. 418 * 419 * <p>The ASN.1 definition for this is: 420 * <pre> 421 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL 422 * 423 * UniqueIdentifier ::= BIT STRING 424 * </pre> 425 * 426 * @return the issuer unique identifier or null if it is not 427 * present in the certificate. 428 */ 429 public abstract boolean[] getIssuerUniqueID(); 430 431 /** 432 * Gets the {@code subjectUniqueID} value from the certificate. 433 * 434 * <p>The ASN.1 definition for this is: 435 * <pre> 436 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 437 * 438 * UniqueIdentifier ::= BIT STRING 439 * </pre> 440 * 441 * @return the subject unique identifier or null if it is not 442 * present in the certificate. 443 */ 444 public abstract boolean[] getSubjectUniqueID(); 445 446 /** 447 * Gets a boolean array representing bits of 448 * the {@code KeyUsage} extension, (OID = 2.5.29.15). 449 * The key usage extension defines the purpose (e.g., encipherment, 450 * signature, certificate signing) of the key contained in the 451 * certificate. 452 * The ASN.1 definition for this is: 453 * <pre> 454 * KeyUsage ::= BIT STRING { 455 * digitalSignature (0), 456 * nonRepudiation (1), 457 * keyEncipherment (2), 458 * dataEncipherment (3), 459 * keyAgreement (4), 460 * keyCertSign (5), 461 * cRLSign (6), 462 * encipherOnly (7), 463 * decipherOnly (8) } 464 * </pre> 465 * RFC 5280 recommends that when used, this be marked 466 * as a critical extension. 467 * 468 * @return the KeyUsage extension of this certificate, represented as 469 * an array of booleans. The order of KeyUsage values in the array is 470 * the same as in the above ASN.1 definition. The array will contain a 471 * value for each KeyUsage defined above. If the KeyUsage list encoded 472 * in the certificate is longer than the above list, it will not be 473 * truncated. Returns null if this certificate does not 474 * contain a KeyUsage extension. 475 */ 476 public abstract boolean[] getKeyUsage(); 477 478 /** 479 * Gets an unmodifiable list of Strings representing the OBJECT 480 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the 481 * extended key usage extension, (OID = 2.5.29.37). It indicates 482 * one or more purposes for which the certified public key may be 483 * used, in addition to or in place of the basic purposes 484 * indicated in the key usage extension field. The ASN.1 485 * definition for this is: 486 * <pre> 487 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 488 * 489 * KeyPurposeId ::= OBJECT IDENTIFIER 490 * </pre> 491 * 492 * Key purposes may be defined by any organization with a 493 * need. Object identifiers used to identify key purposes shall be 494 * assigned in accordance with IANA or ITU-T Rec. X.660 | 495 * ISO/IEC/ITU 9834-1. 496 * <p> 497 * This method was added to version 1.4 of the Java 2 Platform Standard 498 * Edition. In order to maintain backwards compatibility with existing 499 * service providers, this method is not {@code abstract} 500 * and it provides a default implementation. Subclasses 501 * should override this method with a correct implementation. 502 * 503 * @return the ExtendedKeyUsage extension of this certificate, 504 * as an unmodifiable list of object identifiers represented 505 * as Strings. Returns null if this certificate does not 506 * contain an ExtendedKeyUsage extension. 507 * @throws CertificateParsingException if the extension cannot be decoded 508 * @since 1.4 509 */ 510 public List<String> getExtendedKeyUsage() throws CertificateParsingException { 511 return X509CertImpl.getExtendedKeyUsage(this); 512 } 513 514 /** 515 * Gets the certificate constraints path length from the 516 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19). 517 * <p> 518 * The basic constraints extension identifies whether the subject 519 * of the certificate is a Certificate Authority (CA) and 520 * how deep a certification path may exist through that CA. The 521 * {@code pathLenConstraint} field (see below) is meaningful 522 * only if {@code cA} is set to TRUE. In this case, it gives the 523 * maximum number of CA certificates that may follow this certificate in a 524 * certification path. A value of zero indicates that only an end-entity 525 * certificate may follow in the path. 526 * <p> 527 * The ASN.1 definition for this is: 528 * <pre> 529 * BasicConstraints ::= SEQUENCE { 530 * cA BOOLEAN DEFAULT FALSE, 531 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 532 * </pre> 533 * 534 * @return the value of {@code pathLenConstraint} if the 535 * BasicConstraints extension is present in the certificate and the 536 * subject of the certificate is a CA, otherwise -1. 537 * If the subject of the certificate is a CA and 538 * {@code pathLenConstraint} does not appear, 539 * {@code Integer.MAX_VALUE} is returned to indicate that there is no 540 * limit to the allowed length of the certification path. 541 */ 542 public abstract int getBasicConstraints(); 543 544 /** 545 * Gets an immutable collection of subject alternative names from the 546 * {@code SubjectAltName} extension, (OID = 2.5.29.17). 547 * <p> 548 * The ASN.1 definition of the {@code SubjectAltName} extension is: 549 * <pre> 550 * SubjectAltName ::= GeneralNames 551 * 552 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName 553 * 554 * GeneralName ::= CHOICE { 555 * otherName [0] OtherName, 556 * rfc822Name [1] IA5String, 557 * dNSName [2] IA5String, 558 * x400Address [3] ORAddress, 559 * directoryName [4] Name, 560 * ediPartyName [5] EDIPartyName, 561 * uniformResourceIdentifier [6] IA5String, 562 * iPAddress [7] OCTET STRING, 563 * registeredID [8] OBJECT IDENTIFIER} 564 * </pre> 565 * <p> 566 * If this certificate does not contain a {@code SubjectAltName} 567 * extension, {@code null} is returned. Otherwise, a 568 * {@code Collection} is returned with an entry representing each 569 * {@code GeneralName} included in the extension. Each entry is a 570 * {@code List} whose first entry is an {@code Integer} 571 * (the name type, 0-8) and whose second entry is a {@code String} 572 * or a byte array (the name, in string or ASN.1 DER encoded form, 573 * respectively). 574 * <p> 575 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI 576 * names are returned as {@code String}s, 577 * using the well-established string formats for those types (subject to 578 * the restrictions included in RFC 5280). IPv4 address names are 579 * returned using dotted quad notation. IPv6 address names are returned 580 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values 581 * representing the eight 16-bit pieces of the address. OID names are 582 * returned as {@code String}s represented as a series of nonnegative 583 * integers separated by periods. And directory names (distinguished names) 584 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt"> 585 * RFC 2253</a> string format. No standard string format is 586 * defined for otherNames, X.400 names, EDI party names, or any 587 * other type of names. They are returned as byte arrays 588 * containing the ASN.1 DER encoded form of the name. 589 * <p> 590 * Note that the {@code Collection} returned may contain more 591 * than one name of the same type. Also, note that the returned 592 * {@code Collection} is immutable and any entries containing byte 593 * arrays are cloned to protect against subsequent modifications. 594 * <p> 595 * This method was added to version 1.4 of the Java 2 Platform Standard 596 * Edition. In order to maintain backwards compatibility with existing 597 * service providers, this method is not {@code abstract} 598 * and it provides a default implementation. Subclasses 599 * should override this method with a correct implementation. 600 * 601 * @return an immutable {@code Collection} of subject alternative 602 * names (or {@code null}) 603 * @throws CertificateParsingException if the extension cannot be decoded 604 * @since 1.4 605 */ 606 public Collection<List<?>> getSubjectAlternativeNames() 607 throws CertificateParsingException { 608 return X509CertImpl.getSubjectAlternativeNames(this); 609 } 610 611 /** 612 * Gets an immutable collection of issuer alternative names from the 613 * {@code IssuerAltName} extension, (OID = 2.5.29.18). 614 * <p> 615 * The ASN.1 definition of the {@code IssuerAltName} extension is: 616 * <pre> 617 * IssuerAltName ::= GeneralNames 618 * </pre> 619 * The ASN.1 definition of {@code GeneralNames} is defined 620 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}. 621 * <p> 622 * If this certificate does not contain an {@code IssuerAltName} 623 * extension, {@code null} is returned. Otherwise, a 624 * {@code Collection} is returned with an entry representing each 625 * {@code GeneralName} included in the extension. Each entry is a 626 * {@code List} whose first entry is an {@code Integer} 627 * (the name type, 0-8) and whose second entry is a {@code String} 628 * or a byte array (the name, in string or ASN.1 DER encoded form, 629 * respectively). For more details about the formats used for each 630 * name type, see the {@code getSubjectAlternativeNames} method. 631 * <p> 632 * Note that the {@code Collection} returned may contain more 633 * than one name of the same type. Also, note that the returned 634 * {@code Collection} is immutable and any entries containing byte 635 * arrays are cloned to protect against subsequent modifications. 636 * <p> 637 * This method was added to version 1.4 of the Java 2 Platform Standard 638 * Edition. In order to maintain backwards compatibility with existing 639 * service providers, this method is not {@code abstract} 640 * and it provides a default implementation. Subclasses 641 * should override this method with a correct implementation. 642 * 643 * @return an immutable {@code Collection} of issuer alternative 644 * names (or {@code null}) 645 * @throws CertificateParsingException if the extension cannot be decoded 646 * @since 1.4 647 */ 648 public Collection<List<?>> getIssuerAlternativeNames() 649 throws CertificateParsingException { 650 return X509CertImpl.getIssuerAlternativeNames(this); 651 } 652 653 /** 654 * Verifies that this certificate was signed using the 655 * private key that corresponds to the specified public key. 656 * This method uses the signature verification engine 657 * supplied by the specified provider. Note that the specified 658 * Provider object does not have to be registered in the provider list. 659 * 660 * This method was added to version 1.8 of the Java Platform Standard 661 * Edition. In order to maintain backwards compatibility with existing 662 * service providers, this method is not {@code abstract} 663 * and it provides a default implementation. 664 * 665 * @param key the PublicKey used to carry out the verification. 666 * @param sigProvider the signature provider. 667 * 668 * @exception NoSuchAlgorithmException on unsupported signature 669 * algorithms. 670 * @exception InvalidKeyException on incorrect key. 671 * @exception SignatureException on signature errors. 672 * @exception CertificateException on encoding errors. 673 * @exception UnsupportedOperationException if the method is not supported 674 * @since 1.8 675 */ 676 public void verify(PublicKey key, Provider sigProvider) 677 throws CertificateException, NoSuchAlgorithmException, 678 InvalidKeyException, SignatureException { 679 String sigName = getSigAlgName(); 680 Signature sig = (sigProvider == null) 681 ? Signature.getInstance(sigName) 682 : Signature.getInstance(sigName, sigProvider); 683 684 try { 685 SignatureUtil.initVerifyWithParam(sig, key, 686 SignatureUtil.getParamSpec(sigName, getSigAlgParams())); 687 } catch (ProviderException e) { 688 throw new CertificateException(e.getMessage(), e.getCause()); 689 } catch (InvalidAlgorithmParameterException e) { 690 throw new CertificateException(e); 691 } 692 693 byte[] tbsCert = getTBSCertificate(); 694 sig.update(tbsCert, 0, tbsCert.length); 695 696 if (sig.verify(getSignature()) == false) { 697 throw new SignatureException("Signature does not match."); 698 } 699 } 700 }