The extensions defined for X.509 v3 * {@link X509Certificate Certificates} and v2 * {@link X509CRL CRLs} (Certificate Revocation * Lists) provide methods * for associating additional attributes with users or public keys, * for managing the certification hierarchy, and for managing CRL * distribution. The X.509 extensions format also allows communities * to define private extensions to carry information unique to those * communities. * *
Each extension in a certificate/CRL may be designated as * critical or non-critical. A certificate/CRL-using system (an application * validating a certificate/CRL) must reject the certificate/CRL if it * encounters a critical extension it does not recognize. A non-critical * extension may be ignored if it is not recognized. *
* The ASN.1 definition for this is: *
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*
* Extension ::= SEQUENCE {
* extnId OBJECT IDENTIFIER,
* critical BOOLEAN DEFAULT FALSE,
* extnValue OCTET STRING
* -- contains a DER encoding of a value
* -- of the type registered for use with
* -- the extnId object identifier value
* }
*
* Since not all extensions are known, the {@code getExtensionValue}
* method returns the DER-encoded OCTET STRING of the
* extension value (i.e., the {@code extnValue}). This can then
* be handled by a Class that understands the extension.
*
* @author Hemma Prafullchandra
*/
public interface X509Extension {
/**
* Check if there is a critical extension that is not supported.
*
* @return true if a critical extension is found that is
* not supported, otherwise false.
*/
public boolean hasUnsupportedCriticalExtension();
/**
* Gets a Set of the OID strings for the extension(s) marked
* CRITICAL in the certificate/CRL managed by the object
* implementing this interface.
*
* Here is sample code to get a Set of critical extensions from an
* X509Certificate and print the OIDs:
* {@code
* X509Certificate cert = null;
* try (InputStream inStrm = new FileInputStream("DER-encoded-Cert")) {
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* cert = (X509Certificate)cf.generateCertificate(inStrm);
* }
*
* Set critSet = cert.getCriticalExtensionOIDs();
* if (critSet != null && !critSet.isEmpty()) {
* System.out.println("Set of critical extensions:");
* for (String oid : critSet) {
* System.out.println(oid);
* }
* }
* }
* @return a Set (or an empty Set if none are marked critical) of
* the extension OID strings for extensions that are marked critical.
* If there are no extensions present at all, then this method returns
* null.
*/
public Set{@code
* CertificateFactory cf = null;
* X509CRL crl = null;
* try (InputStream inStrm = new FileInputStream("DER-encoded-CRL")) {
* cf = CertificateFactory.getInstance("X.509");
* crl = (X509CRL)cf.generateCRL(inStrm);
* }
*
* byte[] certData =
* ByteArrayInputStream bais = new ByteArrayInputStream(certData);
* X509Certificate cert = (X509Certificate)cf.generateCertificate(bais);
* X509CRLEntry badCert =
* crl.getRevokedCertificate(cert.getSerialNumber());
*
* if (badCert != null) {
* Set nonCritSet = badCert.getNonCriticalExtensionOIDs();
* if (nonCritSet != null)
* for (String oid : nonCritSet) {
* System.out.println(oid);
* }
* }
* }
*
* @return a Set (or an empty Set if none are marked non-critical) of
* the extension OID strings for extensions that are marked non-critical.
* If there are no extensions present at all, then this method returns
* null.
*/
public SetFor example:
*
| OID (Object Identifier) | *Extension Name |
|---|---|
| 2.5.29.14 | *SubjectKeyIdentifier |
| 2.5.29.15 | *KeyUsage |
| 2.5.29.16 | *PrivateKeyUsage |
| 2.5.29.17 | *SubjectAlternativeName |
| 2.5.29.18 | *IssuerAlternativeName |
| 2.5.29.19 | *BasicConstraints |
| 2.5.29.30 | *NameConstraints |
| 2.5.29.33 | *PolicyMappings |
| 2.5.29.35 | *AuthorityKeyIdentifier |
| 2.5.29.36 | *PolicyConstraints |