1 /* 2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.math.BigInteger; 29 import java.security.*; 30 import java.util.Collection; 31 import java.util.Date; 32 import java.util.List; 33 import javax.security.auth.x500.X500Principal; 34 35 import sun.security.x509.X509CertImpl; 36 37 /** 38 * <p> 39 * Abstract class for X.509 certificates. This provides a standard 40 * way to access all the attributes of an X.509 certificate. 41 * <p> 42 * In June of 1996, the basic X.509 v3 format was completed by 43 * ISO/IEC and ANSI X9, which is described below in ASN.1: 44 * <pre> 45 * Certificate ::= SEQUENCE { 46 * tbsCertificate TBSCertificate, 47 * signatureAlgorithm AlgorithmIdentifier, 48 * signature BIT STRING } 49 * </pre> 50 * <p> 51 * These certificates are widely used to support authentication and 52 * other functionality in Internet security systems. Common applications 53 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 54 * code signing for trusted software distribution, and Secure Electronic 55 * Transactions (SET). 56 * <p> 57 * These certificates are managed and vouched for by <em>Certificate 58 * Authorities</em> (CAs). CAs are services which create certificates by 59 * placing data in the X.509 standard format and then digitally signing 60 * that data. CAs act as trusted third parties, making introductions 61 * between principals who have no direct knowledge of each other. 62 * CA certificates are either signed by themselves, or by some other 63 * CA such as a "root" CA. 64 * <p> 65 * More information can be found in 66 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 67 * Public Key Infrastructure Certificate and CRL Profile</a>. 68 * <p> 69 * The ASN.1 definition of {@code tbsCertificate} is: 70 * <pre> 71 * TBSCertificate ::= SEQUENCE { 72 * version [0] EXPLICIT Version DEFAULT v1, 73 * serialNumber CertificateSerialNumber, 74 * signature AlgorithmIdentifier, 75 * issuer Name, 76 * validity Validity, 77 * subject Name, 78 * subjectPublicKeyInfo SubjectPublicKeyInfo, 79 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 80 * -- If present, version must be v2 or v3 81 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 82 * -- If present, version must be v2 or v3 83 * extensions [3] EXPLICIT Extensions OPTIONAL 84 * -- If present, version must be v3 85 * } 86 * </pre> 87 * <p> 88 * Certificates are instantiated using a certificate factory. The following is 89 * an example of how to instantiate an X.509 certificate: 90 * <pre> 91 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) { 92 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 93 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); 94 * } 95 * </pre> 96 * 97 * @author Hemma Prafullchandra 98 * @since 1.2 99 * 100 * 101 * @see Certificate 102 * @see CertificateFactory 103 * @see X509Extension 104 */ 105 106 public abstract class X509Certificate extends Certificate 107 implements X509Extension { 108 109 private static final long serialVersionUID = -2491127588187038216L; 110 111 private transient X500Principal subjectX500Principal, issuerX500Principal; 112 113 /** 114 * Constructor for X.509 certificates. 115 */ 116 protected X509Certificate() { 117 super("X.509"); 118 } 119 120 /** 121 * Checks that the certificate is currently valid. It is if 122 * the current date and time are within the validity period given in the 123 * certificate. 124 * <p> 125 * The validity period consists of two date/time values: 126 * the first and last dates (and times) on which the certificate 127 * is valid. It is defined in 128 * ASN.1 as: 129 * <pre> 130 * validity Validity 131 * 132 * Validity ::= SEQUENCE { 133 * notBefore CertificateValidityDate, 134 * notAfter CertificateValidityDate } 135 * 136 * CertificateValidityDate ::= CHOICE { 137 * utcTime UTCTime, 138 * generalTime GeneralizedTime } 139 * </pre> 140 * 141 * @exception CertificateExpiredException if the certificate has expired. 142 * @exception CertificateNotYetValidException if the certificate is not 143 * yet valid. 144 */ 145 public abstract void checkValidity() 146 throws CertificateExpiredException, CertificateNotYetValidException; 147 148 /** 149 * Checks that the given date is within the certificate's 150 * validity period. In other words, this determines whether the 151 * certificate would be valid at the given date/time. 152 * 153 * @param date the Date to check against to see if this certificate 154 * is valid at that date/time. 155 * 156 * @exception CertificateExpiredException if the certificate has expired 157 * with respect to the {@code date} supplied. 158 * @exception CertificateNotYetValidException if the certificate is not 159 * yet valid with respect to the {@code date} supplied. 160 * 161 * @see #checkValidity() 162 */ 163 public abstract void checkValidity(Date date) 164 throws CertificateExpiredException, CertificateNotYetValidException; 165 166 /** 167 * Gets the {@code version} (version number) value from the 168 * certificate. 169 * The ASN.1 definition for this is: 170 * <pre> 171 * version [0] EXPLICIT Version DEFAULT v1 172 * 173 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 174 * </pre> 175 * @return the version number, i.e. 1, 2 or 3. 176 */ 177 public abstract int getVersion(); 178 179 /** 180 * Gets the {@code serialNumber} value from the certificate. 181 * The serial number is an integer assigned by the certification 182 * authority to each certificate. It must be unique for each 183 * certificate issued by a given CA (i.e., the issuer name and 184 * serial number identify a unique certificate). 185 * The ASN.1 definition for this is: 186 * <pre> 187 * serialNumber CertificateSerialNumber 188 * 189 * CertificateSerialNumber ::= INTEGER 190 * </pre> 191 * 192 * @return the serial number. 193 */ 194 public abstract BigInteger getSerialNumber(); 195 196 /** 197 * <strong>Denigrated</strong>, replaced by {@linkplain 198 * #getIssuerX500Principal()}. This method returns the {@code issuer} 199 * as an implementation specific Principal object, which should not be 200 * relied upon by portable code. 201 * 202 * <p> 203 * Gets the {@code issuer} (issuer distinguished name) value from 204 * the certificate. The issuer name identifies the entity that signed (and 205 * issued) the certificate. 206 * 207 * <p>The issuer name field contains an 208 * X.500 distinguished name (DN). 209 * The ASN.1 definition for this is: 210 * <pre> 211 * issuer Name 212 * 213 * Name ::= CHOICE { RDNSequence } 214 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 215 * RelativeDistinguishedName ::= 216 * SET OF AttributeValueAssertion 217 * 218 * AttributeValueAssertion ::= SEQUENCE { 219 * AttributeType, 220 * AttributeValue } 221 * AttributeType ::= OBJECT IDENTIFIER 222 * AttributeValue ::= ANY 223 * </pre> 224 * The {@code Name} describes a hierarchical name composed of 225 * attributes, 226 * such as country name, and corresponding values, such as US. 227 * The type of the {@code AttributeValue} component is determined by 228 * the {@code AttributeType}; in general it will be a 229 * {@code directoryString}. A {@code directoryString} is usually 230 * one of {@code PrintableString}, 231 * {@code TeletexString} or {@code UniversalString}. 232 * 233 * @return a Principal whose name is the issuer distinguished name. 234 */ 235 public abstract Principal getIssuerDN(); 236 237 /** 238 * Returns the issuer (issuer distinguished name) value from the 239 * certificate as an {@code X500Principal}. 240 * <p> 241 * It is recommended that subclasses override this method. 242 * 243 * @return an {@code X500Principal} representing the issuer 244 * distinguished name 245 * @since 1.4 246 */ 247 public X500Principal getIssuerX500Principal() { 248 if (issuerX500Principal == null) { 249 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this); 250 } 251 return issuerX500Principal; 252 } 253 254 /** 255 * <strong>Denigrated</strong>, replaced by {@linkplain 256 * #getSubjectX500Principal()}. This method returns the {@code subject} 257 * as an implementation specific Principal object, which should not be 258 * relied upon by portable code. 259 * 260 * <p> 261 * Gets the {@code subject} (subject distinguished name) value 262 * from the certificate. If the {@code subject} value is empty, 263 * then the {@code getName()} method of the returned 264 * {@code Principal} object returns an empty string (""). 265 * 266 * <p> The ASN.1 definition for this is: 267 * <pre> 268 * subject Name 269 * </pre> 270 * 271 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 272 * and other relevant definitions. 273 * 274 * @return a Principal whose name is the subject name. 275 */ 276 public abstract Principal getSubjectDN(); 277 278 /** 279 * Returns the subject (subject distinguished name) value from the 280 * certificate as an {@code X500Principal}. If the subject value 281 * is empty, then the {@code getName()} method of the returned 282 * {@code X500Principal} object returns an empty string (""). 283 * <p> 284 * It is recommended that subclasses override this method. 285 * 286 * @return an {@code X500Principal} representing the subject 287 * distinguished name 288 * @since 1.4 289 */ 290 public X500Principal getSubjectX500Principal() { 291 if (subjectX500Principal == null) { 292 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this); 293 } 294 return subjectX500Principal; 295 } 296 297 /** 298 * Gets the {@code notBefore} date from the validity period of 299 * the certificate. 300 * The relevant ASN.1 definitions are: 301 * <pre> 302 * validity Validity 303 * 304 * Validity ::= SEQUENCE { 305 * notBefore CertificateValidityDate, 306 * notAfter CertificateValidityDate } 307 * 308 * CertificateValidityDate ::= CHOICE { 309 * utcTime UTCTime, 310 * generalTime GeneralizedTime } 311 * </pre> 312 * 313 * @return the start date of the validity period. 314 * @see #checkValidity 315 */ 316 public abstract Date getNotBefore(); 317 318 /** 319 * Gets the {@code notAfter} date from the validity period of 320 * the certificate. See {@link #getNotBefore() getNotBefore} 321 * for relevant ASN.1 definitions. 322 * 323 * @return the end date of the validity period. 324 * @see #checkValidity 325 */ 326 public abstract Date getNotAfter(); 327 328 /** 329 * Gets the DER-encoded certificate information, the 330 * {@code tbsCertificate} from this certificate. 331 * This can be used to verify the signature independently. 332 * 333 * @return the DER-encoded certificate information. 334 * @exception CertificateEncodingException if an encoding error occurs. 335 */ 336 public abstract byte[] getTBSCertificate() 337 throws CertificateEncodingException; 338 339 /** 340 * Gets the {@code signature} value (the raw signature bits) from 341 * the certificate. 342 * The ASN.1 definition for this is: 343 * <pre> 344 * signature BIT STRING 345 * </pre> 346 * 347 * @return the signature. 348 */ 349 public abstract byte[] getSignature(); 350 351 /** 352 * Gets the signature algorithm name for the certificate 353 * signature algorithm. An example is the string "SHA256withRSA". 354 * The ASN.1 definition for this is: 355 * <pre> 356 * signatureAlgorithm AlgorithmIdentifier 357 * 358 * AlgorithmIdentifier ::= SEQUENCE { 359 * algorithm OBJECT IDENTIFIER, 360 * parameters ANY DEFINED BY algorithm OPTIONAL } 361 * -- contains a value of the type 362 * -- registered for use with the 363 * -- algorithm object identifier value 364 * </pre> 365 * 366 * <p>The algorithm name is determined from the {@code algorithm} 367 * OID string. 368 * 369 * @return the signature algorithm name. 370 */ 371 public abstract String getSigAlgName(); 372 373 /** 374 * Gets the signature algorithm OID string from the certificate. 375 * An OID is represented by a set of nonnegative whole numbers separated 376 * by periods. 377 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 378 * with DSA signature algorithm defined in 379 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 380 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 381 * and CRL Profile</a>. 382 * 383 * <p>See {@link #getSigAlgName() getSigAlgName} for 384 * relevant ASN.1 definitions. 385 * 386 * @return the signature algorithm OID string. 387 */ 388 public abstract String getSigAlgOID(); 389 390 /** 391 * Gets the DER-encoded signature algorithm parameters from this 392 * certificate's signature algorithm. In most cases, the signature 393 * algorithm parameters are null; the parameters are usually 394 * supplied with the certificate's public key. 395 * If access to individual parameter values is needed then use 396 * {@link java.security.AlgorithmParameters AlgorithmParameters} 397 * and instantiate with the name returned by 398 * {@link #getSigAlgName() getSigAlgName}. 399 * 400 * <p>See {@link #getSigAlgName() getSigAlgName} for 401 * relevant ASN.1 definitions. 402 * 403 * @return the DER-encoded signature algorithm parameters, or 404 * null if no parameters are present. 405 */ 406 public abstract byte[] getSigAlgParams(); 407 408 /** 409 * Gets the {@code issuerUniqueID} value from the certificate. 410 * The issuer unique identifier is present in the certificate 411 * to handle the possibility of reuse of issuer names over time. 412 * RFC 5280 recommends that names not be reused and that 413 * conforming certificates not make use of unique identifiers. 414 * Applications conforming to that profile should be capable of 415 * parsing unique identifiers and making comparisons. 416 * 417 * <p>The ASN.1 definition for this is: 418 * <pre> 419 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL 420 * 421 * UniqueIdentifier ::= BIT STRING 422 * </pre> 423 * 424 * @return the issuer unique identifier or null if it is not 425 * present in the certificate. 426 */ 427 public abstract boolean[] getIssuerUniqueID(); 428 429 /** 430 * Gets the {@code subjectUniqueID} value from the certificate. 431 * 432 * <p>The ASN.1 definition for this is: 433 * <pre> 434 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 435 * 436 * UniqueIdentifier ::= BIT STRING 437 * </pre> 438 * 439 * @return the subject unique identifier or null if it is not 440 * present in the certificate. 441 */ 442 public abstract boolean[] getSubjectUniqueID(); 443 444 /** 445 * Gets a boolean array representing bits of 446 * the {@code KeyUsage} extension, (OID = 2.5.29.15). 447 * The key usage extension defines the purpose (e.g., encipherment, 448 * signature, certificate signing) of the key contained in the 449 * certificate. 450 * The ASN.1 definition for this is: 451 * <pre> 452 * KeyUsage ::= BIT STRING { 453 * digitalSignature (0), 454 * nonRepudiation (1), 455 * keyEncipherment (2), 456 * dataEncipherment (3), 457 * keyAgreement (4), 458 * keyCertSign (5), 459 * cRLSign (6), 460 * encipherOnly (7), 461 * decipherOnly (8) } 462 * </pre> 463 * RFC 5280 recommends that when used, this be marked 464 * as a critical extension. 465 * 466 * @return the KeyUsage extension of this certificate, represented as 467 * an array of booleans. The order of KeyUsage values in the array is 468 * the same as in the above ASN.1 definition. The array will contain a 469 * value for each KeyUsage defined above. If the KeyUsage list encoded 470 * in the certificate is longer than the above list, it will not be 471 * truncated. Returns null if this certificate does not 472 * contain a KeyUsage extension. 473 */ 474 public abstract boolean[] getKeyUsage(); 475 476 /** 477 * Gets an unmodifiable list of Strings representing the OBJECT 478 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the 479 * extended key usage extension, (OID = 2.5.29.37). It indicates 480 * one or more purposes for which the certified public key may be 481 * used, in addition to or in place of the basic purposes 482 * indicated in the key usage extension field. The ASN.1 483 * definition for this is: 484 * <pre> 485 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 486 * 487 * KeyPurposeId ::= OBJECT IDENTIFIER 488 * </pre> 489 * 490 * Key purposes may be defined by any organization with a 491 * need. Object identifiers used to identify key purposes shall be 492 * assigned in accordance with IANA or ITU-T Rec. X.660 | 493 * ISO/IEC/ITU 9834-1. 494 * <p> 495 * This method was added to version 1.4 of the Java 2 Platform Standard 496 * Edition. In order to maintain backwards compatibility with existing 497 * service providers, this method is not {@code abstract} 498 * and it provides a default implementation. Subclasses 499 * should override this method with a correct implementation. 500 * 501 * @return the ExtendedKeyUsage extension of this certificate, 502 * as an unmodifiable list of object identifiers represented 503 * as Strings. Returns null if this certificate does not 504 * contain an ExtendedKeyUsage extension. 505 * @throws CertificateParsingException if the extension cannot be decoded 506 * @since 1.4 507 */ 508 public List<String> getExtendedKeyUsage() throws CertificateParsingException { 509 return X509CertImpl.getExtendedKeyUsage(this); 510 } 511 512 /** 513 * Gets the certificate constraints path length from the 514 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19). 515 * <p> 516 * The basic constraints extension identifies whether the subject 517 * of the certificate is a Certificate Authority (CA) and 518 * how deep a certification path may exist through that CA. The 519 * {@code pathLenConstraint} field (see below) is meaningful 520 * only if {@code cA} is set to TRUE. In this case, it gives the 521 * maximum number of CA certificates that may follow this certificate in a 522 * certification path. A value of zero indicates that only an end-entity 523 * certificate may follow in the path. 524 * <p> 525 * The ASN.1 definition for this is: 526 * <pre> 527 * BasicConstraints ::= SEQUENCE { 528 * cA BOOLEAN DEFAULT FALSE, 529 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 530 * </pre> 531 * 532 * @return the value of {@code pathLenConstraint} if the 533 * BasicConstraints extension is present in the certificate and the 534 * subject of the certificate is a CA, otherwise -1. 535 * If the subject of the certificate is a CA and 536 * {@code pathLenConstraint} does not appear, 537 * {@code Integer.MAX_VALUE} is returned to indicate that there is no 538 * limit to the allowed length of the certification path. 539 */ 540 public abstract int getBasicConstraints(); 541 542 /** 543 * Gets an immutable collection of subject alternative names from the 544 * {@code SubjectAltName} extension, (OID = 2.5.29.17). 545 * <p> 546 * The ASN.1 definition of the {@code SubjectAltName} extension is: 547 * <pre> 548 * SubjectAltName ::= GeneralNames 549 * 550 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName 551 * 552 * GeneralName ::= CHOICE { 553 * otherName [0] OtherName, 554 * rfc822Name [1] IA5String, 555 * dNSName [2] IA5String, 556 * x400Address [3] ORAddress, 557 * directoryName [4] Name, 558 * ediPartyName [5] EDIPartyName, 559 * uniformResourceIdentifier [6] IA5String, 560 * iPAddress [7] OCTET STRING, 561 * registeredID [8] OBJECT IDENTIFIER} 562 * </pre> 563 * <p> 564 * If this certificate does not contain a {@code SubjectAltName} 565 * extension, {@code null} is returned. Otherwise, a 566 * {@code Collection} is returned with an entry representing each 567 * {@code GeneralName} included in the extension. Each entry is a 568 * {@code List} whose first entry is an {@code Integer} 569 * (the name type, 0-8) and whose second entry is a {@code String} 570 * or a byte array (the name, in string or ASN.1 DER encoded form, 571 * respectively). 572 * <p> 573 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI 574 * names are returned as {@code String}s, 575 * using the well-established string formats for those types (subject to 576 * the restrictions included in RFC 5280). IPv4 address names are 577 * returned using dotted quad notation. IPv6 address names are returned 578 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values 579 * representing the eight 16-bit pieces of the address. OID names are 580 * returned as {@code String}s represented as a series of nonnegative 581 * integers separated by periods. And directory names (distinguished names) 582 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt"> 583 * RFC 2253</a> string format. No standard string format is 584 * defined for otherNames, X.400 names, EDI party names, or any 585 * other type of names. They are returned as byte arrays 586 * containing the ASN.1 DER encoded form of the name. 587 * <p> 588 * Note that the {@code Collection} returned may contain more 589 * than one name of the same type. Also, note that the returned 590 * {@code Collection} is immutable and any entries containing byte 591 * arrays are cloned to protect against subsequent modifications. 592 * <p> 593 * This method was added to version 1.4 of the Java 2 Platform Standard 594 * Edition. In order to maintain backwards compatibility with existing 595 * service providers, this method is not {@code abstract} 596 * and it provides a default implementation. Subclasses 597 * should override this method with a correct implementation. 598 * 599 * @return an immutable {@code Collection} of subject alternative 600 * names (or {@code null}) 601 * @throws CertificateParsingException if the extension cannot be decoded 602 * @since 1.4 603 */ 604 public Collection<List<?>> getSubjectAlternativeNames() 605 throws CertificateParsingException { 606 return X509CertImpl.getSubjectAlternativeNames(this); 607 } 608 609 /** 610 * Gets an immutable collection of issuer alternative names from the 611 * {@code IssuerAltName} extension, (OID = 2.5.29.18). 612 * <p> 613 * The ASN.1 definition of the {@code IssuerAltName} extension is: 614 * <pre> 615 * IssuerAltName ::= GeneralNames 616 * </pre> 617 * The ASN.1 definition of {@code GeneralNames} is defined 618 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}. 619 * <p> 620 * If this certificate does not contain an {@code IssuerAltName} 621 * extension, {@code null} is returned. Otherwise, a 622 * {@code Collection} is returned with an entry representing each 623 * {@code GeneralName} included in the extension. Each entry is a 624 * {@code List} whose first entry is an {@code Integer} 625 * (the name type, 0-8) and whose second entry is a {@code String} 626 * or a byte array (the name, in string or ASN.1 DER encoded form, 627 * respectively). For more details about the formats used for each 628 * name type, see the {@code getSubjectAlternativeNames} method. 629 * <p> 630 * Note that the {@code Collection} returned may contain more 631 * than one name of the same type. Also, note that the returned 632 * {@code Collection} is immutable and any entries containing byte 633 * arrays are cloned to protect against subsequent modifications. 634 * <p> 635 * This method was added to version 1.4 of the Java 2 Platform Standard 636 * Edition. In order to maintain backwards compatibility with existing 637 * service providers, this method is not {@code abstract} 638 * and it provides a default implementation. Subclasses 639 * should override this method with a correct implementation. 640 * 641 * @return an immutable {@code Collection} of issuer alternative 642 * names (or {@code null}) 643 * @throws CertificateParsingException if the extension cannot be decoded 644 * @since 1.4 645 */ 646 public Collection<List<?>> getIssuerAlternativeNames() 647 throws CertificateParsingException { 648 return X509CertImpl.getIssuerAlternativeNames(this); 649 } 650 651 /** 652 * Verifies that this certificate was signed using the 653 * private key that corresponds to the specified public key. 654 * This method uses the signature verification engine 655 * supplied by the specified provider. Note that the specified 656 * Provider object does not have to be registered in the provider list. 657 * 658 * This method was added to version 1.8 of the Java Platform Standard 659 * Edition. In order to maintain backwards compatibility with existing 660 * service providers, this method is not {@code abstract} 661 * and it provides a default implementation. 662 * 663 * @param key the PublicKey used to carry out the verification. 664 * @param sigProvider the signature provider. 665 * 666 * @exception NoSuchAlgorithmException on unsupported signature 667 * algorithms. 668 * @exception InvalidKeyException on incorrect key. 669 * @exception SignatureException on signature errors. 670 * @exception CertificateException on encoding errors. 671 * @exception UnsupportedOperationException if the method is not supported 672 * @since 1.8 673 */ 674 public void verify(PublicKey key, Provider sigProvider) 675 throws CertificateException, NoSuchAlgorithmException, 676 InvalidKeyException, SignatureException { 677 X509CertImpl.verify(this, key, sigProvider); 678 } 679 }