1 /* 2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.math.BigInteger; 29 import java.security.*; 30 import java.util.Collection; 31 import java.util.Date; 32 import java.util.List; 33 import javax.security.auth.x500.X500Principal; 34 35 import sun.security.x509.X509CertImpl; 36 37 /** 38 * <p> 39 * Abstract class for X.509 certificates. This provides a standard 40 * way to access all the attributes of an X.509 certificate. 41 * <p> 42 * In June of 1996, the basic X.509 v3 format was completed by 43 * ISO/IEC and ANSI X9, which is described below in ASN.1: 44 * <pre> 45 * Certificate ::= SEQUENCE { 46 * tbsCertificate TBSCertificate, 47 * signatureAlgorithm AlgorithmIdentifier, 48 * signature BIT STRING } 49 * </pre> 50 * <p> 51 * These certificates are widely used to support authentication and 52 * other functionality in Internet security systems. Common applications 53 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 54 * code signing for trusted software distribution, and Secure Electronic 55 * Transactions (SET). 56 * <p> 57 * These certificates are managed and vouched for by <em>Certificate 58 * Authorities</em> (CAs). CAs are services which create certificates by 59 * placing data in the X.509 standard format and then digitally signing 60 * that data. CAs act as trusted third parties, making introductions 61 * between principals who have no direct knowledge of each other. 62 * CA certificates are either signed by themselves, or by some other 63 * CA such as a "root" CA. 64 * <p> 65 * More information can be found in 66 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 67 * Public Key Infrastructure Certificate and CRL Profile</a>. 68 * <p> 69 * The ASN.1 definition of {@code tbsCertificate} is: 70 * <pre> 71 * TBSCertificate ::= SEQUENCE { 72 * version [0] EXPLICIT Version DEFAULT v1, 73 * serialNumber CertificateSerialNumber, 74 * signature AlgorithmIdentifier, 75 * issuer Name, 76 * validity Validity, 77 * subject Name, 78 * subjectPublicKeyInfo SubjectPublicKeyInfo, 79 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 80 * -- If present, version must be v2 or v3 81 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 82 * -- If present, version must be v2 or v3 83 * extensions [3] EXPLICIT Extensions OPTIONAL 84 * -- If present, version must be v3 85 * } 86 * </pre> 87 * <p> 88 * Certificates are instantiated using a certificate factory. The following is 89 * an example of how to instantiate an X.509 certificate: 90 * <pre> 91 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) { 92 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 93 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); 94 * } 95 * </pre> 96 * 97 * @author Hemma Prafullchandra 98 * 99 * 100 * @see Certificate 101 * @see CertificateFactory 102 * @see X509Extension 103 */ 104 105 public abstract class X509Certificate extends Certificate 106 implements X509Extension { 107 108 private static final long serialVersionUID = -2491127588187038216L; 109 110 private transient X500Principal subjectX500Principal, issuerX500Principal; 111 112 /** 113 * Constructor for X.509 certificates. 114 */ 115 protected X509Certificate() { 116 super("X.509"); 117 } 118 119 /** 120 * Checks that the certificate is currently valid. It is if 121 * the current date and time are within the validity period given in the 122 * certificate. 123 * <p> 124 * The validity period consists of two date/time values: 125 * the first and last dates (and times) on which the certificate 126 * is valid. It is defined in 127 * ASN.1 as: 128 * <pre> 129 * validity Validity 130 * 131 * Validity ::= SEQUENCE { 132 * notBefore CertificateValidityDate, 133 * notAfter CertificateValidityDate } 134 * 135 * CertificateValidityDate ::= CHOICE { 136 * utcTime UTCTime, 137 * generalTime GeneralizedTime } 138 * </pre> 139 * 140 * @exception CertificateExpiredException if the certificate has expired. 141 * @exception CertificateNotYetValidException if the certificate is not 142 * yet valid. 143 */ 144 public abstract void checkValidity() 145 throws CertificateExpiredException, CertificateNotYetValidException; 146 147 /** 148 * Checks that the given date is within the certificate's 149 * validity period. In other words, this determines whether the 150 * certificate would be valid at the given date/time. 151 * 152 * @param date the Date to check against to see if this certificate 153 * is valid at that date/time. 154 * 155 * @exception CertificateExpiredException if the certificate has expired 156 * with respect to the {@code date} supplied. 157 * @exception CertificateNotYetValidException if the certificate is not 158 * yet valid with respect to the {@code date} supplied. 159 * 160 * @see #checkValidity() 161 */ 162 public abstract void checkValidity(Date date) 163 throws CertificateExpiredException, CertificateNotYetValidException; 164 165 /** 166 * Gets the {@code version} (version number) value from the 167 * certificate. 168 * The ASN.1 definition for this is: 169 * <pre> 170 * version [0] EXPLICIT Version DEFAULT v1 171 * 172 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 173 * </pre> 174 * @return the version number, i.e. 1, 2 or 3. 175 */ 176 public abstract int getVersion(); 177 178 /** 179 * Gets the {@code serialNumber} value from the certificate. 180 * The serial number is an integer assigned by the certification 181 * authority to each certificate. It must be unique for each 182 * certificate issued by a given CA (i.e., the issuer name and 183 * serial number identify a unique certificate). 184 * The ASN.1 definition for this is: 185 * <pre> 186 * serialNumber CertificateSerialNumber 187 * 188 * CertificateSerialNumber ::= INTEGER 189 * </pre> 190 * 191 * @return the serial number. 192 */ 193 public abstract BigInteger getSerialNumber(); 194 195 /** 196 * <strong>Denigrated</strong>, replaced by {@linkplain 197 * #getIssuerX500Principal()}. This method returns the {@code issuer} 198 * as an implementation specific Principal object, which should not be 199 * relied upon by portable code. 200 * 201 * <p> 202 * Gets the {@code issuer} (issuer distinguished name) value from 203 * the certificate. The issuer name identifies the entity that signed (and 204 * issued) the certificate. 205 * 206 * <p>The issuer name field contains an 207 * X.500 distinguished name (DN). 208 * The ASN.1 definition for this is: 209 * <pre> 210 * issuer Name 211 * 212 * Name ::= CHOICE { RDNSequence } 213 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 214 * RelativeDistinguishedName ::= 215 * SET OF AttributeValueAssertion 216 * 217 * AttributeValueAssertion ::= SEQUENCE { 218 * AttributeType, 219 * AttributeValue } 220 * AttributeType ::= OBJECT IDENTIFIER 221 * AttributeValue ::= ANY 222 * </pre> 223 * The {@code Name} describes a hierarchical name composed of 224 * attributes, 225 * such as country name, and corresponding values, such as US. 226 * The type of the {@code AttributeValue} component is determined by 227 * the {@code AttributeType}; in general it will be a 228 * {@code directoryString}. A {@code directoryString} is usually 229 * one of {@code PrintableString}, 230 * {@code TeletexString} or {@code UniversalString}. 231 * 232 * @return a Principal whose name is the issuer distinguished name. 233 */ 234 public abstract Principal getIssuerDN(); 235 236 /** 237 * Returns the issuer (issuer distinguished name) value from the 238 * certificate as an {@code X500Principal}. 239 * <p> 240 * It is recommended that subclasses override this method. 241 * 242 * @return an {@code X500Principal} representing the issuer 243 * distinguished name 244 * @since 1.4 245 */ 246 public X500Principal getIssuerX500Principal() { 247 if (issuerX500Principal == null) { 248 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this); 249 } 250 return issuerX500Principal; 251 } 252 253 /** 254 * <strong>Denigrated</strong>, replaced by {@linkplain 255 * #getSubjectX500Principal()}. This method returns the {@code subject} 256 * as an implementation specific Principal object, which should not be 257 * relied upon by portable code. 258 * 259 * <p> 260 * Gets the {@code subject} (subject distinguished name) value 261 * from the certificate. If the {@code subject} value is empty, 262 * then the {@code getName()} method of the returned 263 * {@code Principal} object returns an empty string (""). 264 * 265 * <p> The ASN.1 definition for this is: 266 * <pre> 267 * subject Name 268 * </pre> 269 * 270 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 271 * and other relevant definitions. 272 * 273 * @return a Principal whose name is the subject name. 274 */ 275 public abstract Principal getSubjectDN(); 276 277 /** 278 * Returns the subject (subject distinguished name) value from the 279 * certificate as an {@code X500Principal}. If the subject value 280 * is empty, then the {@code getName()} method of the returned 281 * {@code X500Principal} object returns an empty string (""). 282 * <p> 283 * It is recommended that subclasses override this method. 284 * 285 * @return an {@code X500Principal} representing the subject 286 * distinguished name 287 * @since 1.4 288 */ 289 public X500Principal getSubjectX500Principal() { 290 if (subjectX500Principal == null) { 291 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this); 292 } 293 return subjectX500Principal; 294 } 295 296 /** 297 * Gets the {@code notBefore} date from the validity period of 298 * the certificate. 299 * The relevant ASN.1 definitions are: 300 * <pre> 301 * validity Validity 302 * 303 * Validity ::= SEQUENCE { 304 * notBefore CertificateValidityDate, 305 * notAfter CertificateValidityDate } 306 * 307 * CertificateValidityDate ::= CHOICE { 308 * utcTime UTCTime, 309 * generalTime GeneralizedTime } 310 * </pre> 311 * 312 * @return the start date of the validity period. 313 * @see #checkValidity 314 */ 315 public abstract Date getNotBefore(); 316 317 /** 318 * Gets the {@code notAfter} date from the validity period of 319 * the certificate. See {@link #getNotBefore() getNotBefore} 320 * for relevant ASN.1 definitions. 321 * 322 * @return the end date of the validity period. 323 * @see #checkValidity 324 */ 325 public abstract Date getNotAfter(); 326 327 /** 328 * Gets the DER-encoded certificate information, the 329 * {@code tbsCertificate} from this certificate. 330 * This can be used to verify the signature independently. 331 * 332 * @return the DER-encoded certificate information. 333 * @exception CertificateEncodingException if an encoding error occurs. 334 */ 335 public abstract byte[] getTBSCertificate() 336 throws CertificateEncodingException; 337 338 /** 339 * Gets the {@code signature} value (the raw signature bits) from 340 * the certificate. 341 * The ASN.1 definition for this is: 342 * <pre> 343 * signature BIT STRING 344 * </pre> 345 * 346 * @return the signature. 347 */ 348 public abstract byte[] getSignature(); 349 350 /** 351 * Gets the signature algorithm name for the certificate 352 * signature algorithm. An example is the string "SHA256withRSA". 353 * The ASN.1 definition for this is: 354 * <pre> 355 * signatureAlgorithm AlgorithmIdentifier 356 * 357 * AlgorithmIdentifier ::= SEQUENCE { 358 * algorithm OBJECT IDENTIFIER, 359 * parameters ANY DEFINED BY algorithm OPTIONAL } 360 * -- contains a value of the type 361 * -- registered for use with the 362 * -- algorithm object identifier value 363 * </pre> 364 * 365 * <p>The algorithm name is determined from the {@code algorithm} 366 * OID string. 367 * 368 * @return the signature algorithm name. 369 */ 370 public abstract String getSigAlgName(); 371 372 /** 373 * Gets the signature algorithm OID string from the certificate. 374 * An OID is represented by a set of nonnegative whole numbers separated 375 * by periods. 376 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 377 * with DSA signature algorithm defined in 378 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 379 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 380 * and CRL Profile</a>. 381 * 382 * <p>See {@link #getSigAlgName() getSigAlgName} for 383 * relevant ASN.1 definitions. 384 * 385 * @return the signature algorithm OID string. 386 */ 387 public abstract String getSigAlgOID(); 388 389 /** 390 * Gets the DER-encoded signature algorithm parameters from this 391 * certificate's signature algorithm. In most cases, the signature 392 * algorithm parameters are null; the parameters are usually 393 * supplied with the certificate's public key. 394 * If access to individual parameter values is needed then use 395 * {@link java.security.AlgorithmParameters AlgorithmParameters} 396 * and instantiate with the name returned by 397 * {@link #getSigAlgName() getSigAlgName}. 398 * 399 * <p>See {@link #getSigAlgName() getSigAlgName} for 400 * relevant ASN.1 definitions. 401 * 402 * @return the DER-encoded signature algorithm parameters, or 403 * null if no parameters are present. 404 */ 405 public abstract byte[] getSigAlgParams(); 406 407 /** 408 * Gets the {@code issuerUniqueID} value from the certificate. 409 * The issuer unique identifier is present in the certificate 410 * to handle the possibility of reuse of issuer names over time. 411 * RFC 5280 recommends that names not be reused and that 412 * conforming certificates not make use of unique identifiers. 413 * Applications conforming to that profile should be capable of 414 * parsing unique identifiers and making comparisons. 415 * 416 * <p>The ASN.1 definition for this is: 417 * <pre> 418 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL 419 * 420 * UniqueIdentifier ::= BIT STRING 421 * </pre> 422 * 423 * @return the issuer unique identifier or null if it is not 424 * present in the certificate. 425 */ 426 public abstract boolean[] getIssuerUniqueID(); 427 428 /** 429 * Gets the {@code subjectUniqueID} value from the certificate. 430 * 431 * <p>The ASN.1 definition for this is: 432 * <pre> 433 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 434 * 435 * UniqueIdentifier ::= BIT STRING 436 * </pre> 437 * 438 * @return the subject unique identifier or null if it is not 439 * present in the certificate. 440 */ 441 public abstract boolean[] getSubjectUniqueID(); 442 443 /** 444 * Gets a boolean array representing bits of 445 * the {@code KeyUsage} extension, (OID = 2.5.29.15). 446 * The key usage extension defines the purpose (e.g., encipherment, 447 * signature, certificate signing) of the key contained in the 448 * certificate. 449 * The ASN.1 definition for this is: 450 * <pre> 451 * KeyUsage ::= BIT STRING { 452 * digitalSignature (0), 453 * nonRepudiation (1), 454 * keyEncipherment (2), 455 * dataEncipherment (3), 456 * keyAgreement (4), 457 * keyCertSign (5), 458 * cRLSign (6), 459 * encipherOnly (7), 460 * decipherOnly (8) } 461 * </pre> 462 * RFC 5280 recommends that when used, this be marked 463 * as a critical extension. 464 * 465 * @return the KeyUsage extension of this certificate, represented as 466 * an array of booleans. The order of KeyUsage values in the array is 467 * the same as in the above ASN.1 definition. The array will contain a 468 * value for each KeyUsage defined above. If the KeyUsage list encoded 469 * in the certificate is longer than the above list, it will not be 470 * truncated. Returns null if this certificate does not 471 * contain a KeyUsage extension. 472 */ 473 public abstract boolean[] getKeyUsage(); 474 475 /** 476 * Gets an unmodifiable list of Strings representing the OBJECT 477 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the 478 * extended key usage extension, (OID = 2.5.29.37). It indicates 479 * one or more purposes for which the certified public key may be 480 * used, in addition to or in place of the basic purposes 481 * indicated in the key usage extension field. The ASN.1 482 * definition for this is: 483 * <pre> 484 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 485 * 486 * KeyPurposeId ::= OBJECT IDENTIFIER 487 * </pre> 488 * 489 * Key purposes may be defined by any organization with a 490 * need. Object identifiers used to identify key purposes shall be 491 * assigned in accordance with IANA or ITU-T Rec. X.660 | 492 * ISO/IEC/ITU 9834-1. 493 * <p> 494 * This method was added to version 1.4 of the Java 2 Platform Standard 495 * Edition. In order to maintain backwards compatibility with existing 496 * service providers, this method is not {@code abstract} 497 * and it provides a default implementation. Subclasses 498 * should override this method with a correct implementation. 499 * 500 * @return the ExtendedKeyUsage extension of this certificate, 501 * as an unmodifiable list of object identifiers represented 502 * as Strings. Returns null if this certificate does not 503 * contain an ExtendedKeyUsage extension. 504 * @throws CertificateParsingException if the extension cannot be decoded 505 * @since 1.4 506 */ 507 public List<String> getExtendedKeyUsage() throws CertificateParsingException { 508 return X509CertImpl.getExtendedKeyUsage(this); 509 } 510 511 /** 512 * Gets the certificate constraints path length from the 513 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19). 514 * <p> 515 * The basic constraints extension identifies whether the subject 516 * of the certificate is a Certificate Authority (CA) and 517 * how deep a certification path may exist through that CA. The 518 * {@code pathLenConstraint} field (see below) is meaningful 519 * only if {@code cA} is set to TRUE. In this case, it gives the 520 * maximum number of CA certificates that may follow this certificate in a 521 * certification path. A value of zero indicates that only an end-entity 522 * certificate may follow in the path. 523 * <p> 524 * The ASN.1 definition for this is: 525 * <pre> 526 * BasicConstraints ::= SEQUENCE { 527 * cA BOOLEAN DEFAULT FALSE, 528 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 529 * </pre> 530 * 531 * @return the value of {@code pathLenConstraint} if the 532 * BasicConstraints extension is present in the certificate and the 533 * subject of the certificate is a CA, otherwise -1. 534 * If the subject of the certificate is a CA and 535 * {@code pathLenConstraint} does not appear, 536 * {@code Integer.MAX_VALUE} is returned to indicate that there is no 537 * limit to the allowed length of the certification path. 538 */ 539 public abstract int getBasicConstraints(); 540 541 /** 542 * Gets an immutable collection of subject alternative names from the 543 * {@code SubjectAltName} extension, (OID = 2.5.29.17). 544 * <p> 545 * The ASN.1 definition of the {@code SubjectAltName} extension is: 546 * <pre> 547 * SubjectAltName ::= GeneralNames 548 * 549 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName 550 * 551 * GeneralName ::= CHOICE { 552 * otherName [0] OtherName, 553 * rfc822Name [1] IA5String, 554 * dNSName [2] IA5String, 555 * x400Address [3] ORAddress, 556 * directoryName [4] Name, 557 * ediPartyName [5] EDIPartyName, 558 * uniformResourceIdentifier [6] IA5String, 559 * iPAddress [7] OCTET STRING, 560 * registeredID [8] OBJECT IDENTIFIER} 561 * </pre> 562 * <p> 563 * If this certificate does not contain a {@code SubjectAltName} 564 * extension, {@code null} is returned. Otherwise, a 565 * {@code Collection} is returned with an entry representing each 566 * {@code GeneralName} included in the extension. Each entry is a 567 * {@code List} whose first entry is an {@code Integer} 568 * (the name type, 0-8) and whose second entry is a {@code String} 569 * or a byte array (the name, in string or ASN.1 DER encoded form, 570 * respectively). 571 * <p> 572 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI 573 * names are returned as {@code String}s, 574 * using the well-established string formats for those types (subject to 575 * the restrictions included in RFC 5280). IPv4 address names are 576 * returned using dotted quad notation. IPv6 address names are returned 577 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values 578 * representing the eight 16-bit pieces of the address. OID names are 579 * returned as {@code String}s represented as a series of nonnegative 580 * integers separated by periods. And directory names (distinguished names) 581 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt"> 582 * RFC 2253</a> string format. No standard string format is 583 * defined for otherNames, X.400 names, EDI party names, or any 584 * other type of names. They are returned as byte arrays 585 * containing the ASN.1 DER encoded form of the name. 586 * <p> 587 * Note that the {@code Collection} returned may contain more 588 * than one name of the same type. Also, note that the returned 589 * {@code Collection} is immutable and any entries containing byte 590 * arrays are cloned to protect against subsequent modifications. 591 * <p> 592 * This method was added to version 1.4 of the Java 2 Platform Standard 593 * Edition. In order to maintain backwards compatibility with existing 594 * service providers, this method is not {@code abstract} 595 * and it provides a default implementation. Subclasses 596 * should override this method with a correct implementation. 597 * 598 * @return an immutable {@code Collection} of subject alternative 599 * names (or {@code null}) 600 * @throws CertificateParsingException if the extension cannot be decoded 601 * @since 1.4 602 */ 603 public Collection<List<?>> getSubjectAlternativeNames() 604 throws CertificateParsingException { 605 return X509CertImpl.getSubjectAlternativeNames(this); 606 } 607 608 /** 609 * Gets an immutable collection of issuer alternative names from the 610 * {@code IssuerAltName} extension, (OID = 2.5.29.18). 611 * <p> 612 * The ASN.1 definition of the {@code IssuerAltName} extension is: 613 * <pre> 614 * IssuerAltName ::= GeneralNames 615 * </pre> 616 * The ASN.1 definition of {@code GeneralNames} is defined 617 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}. 618 * <p> 619 * If this certificate does not contain an {@code IssuerAltName} 620 * extension, {@code null} is returned. Otherwise, a 621 * {@code Collection} is returned with an entry representing each 622 * {@code GeneralName} included in the extension. Each entry is a 623 * {@code List} whose first entry is an {@code Integer} 624 * (the name type, 0-8) and whose second entry is a {@code String} 625 * or a byte array (the name, in string or ASN.1 DER encoded form, 626 * respectively). For more details about the formats used for each 627 * name type, see the {@code getSubjectAlternativeNames} method. 628 * <p> 629 * Note that the {@code Collection} returned may contain more 630 * than one name of the same type. Also, note that the returned 631 * {@code Collection} is immutable and any entries containing byte 632 * arrays are cloned to protect against subsequent modifications. 633 * <p> 634 * This method was added to version 1.4 of the Java 2 Platform Standard 635 * Edition. In order to maintain backwards compatibility with existing 636 * service providers, this method is not {@code abstract} 637 * and it provides a default implementation. Subclasses 638 * should override this method with a correct implementation. 639 * 640 * @return an immutable {@code Collection} of issuer alternative 641 * names (or {@code null}) 642 * @throws CertificateParsingException if the extension cannot be decoded 643 * @since 1.4 644 */ 645 public Collection<List<?>> getIssuerAlternativeNames() 646 throws CertificateParsingException { 647 return X509CertImpl.getIssuerAlternativeNames(this); 648 } 649 650 /** 651 * Verifies that this certificate was signed using the 652 * private key that corresponds to the specified public key. 653 * This method uses the signature verification engine 654 * supplied by the specified provider. Note that the specified 655 * Provider object does not have to be registered in the provider list. 656 * 657 * This method was added to version 1.8 of the Java Platform Standard 658 * Edition. In order to maintain backwards compatibility with existing 659 * service providers, this method is not {@code abstract} 660 * and it provides a default implementation. 661 * 662 * @param key the PublicKey used to carry out the verification. 663 * @param sigProvider the signature provider. 664 * 665 * @exception NoSuchAlgorithmException on unsupported signature 666 * algorithms. 667 * @exception InvalidKeyException on incorrect key. 668 * @exception SignatureException on signature errors. 669 * @exception CertificateException on encoding errors. 670 * @exception UnsupportedOperationException if the method is not supported 671 * @since 1.8 672 */ 673 public void verify(PublicKey key, Provider sigProvider) 674 throws CertificateException, NoSuchAlgorithmException, 675 InvalidKeyException, SignatureException { 676 X509CertImpl.verify(this, key, sigProvider); 677 } 678 }