1 /* 2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package javax.security.cert; 28 29 import java.io.InputStream; 30 import java.lang.Class; 31 import java.lang.reflect.Constructor; 32 import java.lang.reflect.InvocationTargetException; 33 import java.security.Security; 34 35 import java.math.BigInteger; 36 import java.security.AccessController; 37 import java.security.Principal; 38 import java.security.PrivilegedAction; 39 import java.security.PublicKey; 40 import java.util.BitSet; 41 import java.util.Date; 42 43 /** 44 * Abstract class for X.509 v1 certificates. This provides a standard 45 * way to access all the version 1 attributes of an X.509 certificate. 46 * Attributes that are specific to X.509 v2 or v3 are not available 47 * through this interface. Future API evolution will provide full access to 48 * complete X.509 v3 attributes. 49 * <p> 50 * The basic X.509 format was defined by 51 * ISO/IEC and ANSI X9 and is described below in ASN.1: 52 * <pre> 53 * Certificate ::= SEQUENCE { 54 * tbsCertificate TBSCertificate, 55 * signatureAlgorithm AlgorithmIdentifier, 56 * signature BIT STRING } 57 * </pre> 58 * <p> 59 * These certificates are widely used to support authentication and 60 * other functionality in Internet security systems. Common applications 61 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 62 * code signing for trusted software distribution, and Secure Electronic 63 * Transactions (SET). 64 * <p> 65 * These certificates are managed and vouched for by <em>Certificate 66 * Authorities</em> (CAs). CAs are services which create certificates by 67 * placing data in the X.509 standard format and then digitally signing 68 * that data. CAs act as trusted third parties, making introductions 69 * between principals who have no direct knowledge of each other. 70 * CA certificates are either signed by themselves, or by some other 71 * CA such as a "root" CA. 72 * <p> 73 * The ASN.1 definition of {@code tbsCertificate} is: 74 * <pre> 75 * TBSCertificate ::= SEQUENCE { 76 * version [0] EXPLICIT Version DEFAULT v1, 77 * serialNumber CertificateSerialNumber, 78 * signature AlgorithmIdentifier, 79 * issuer Name, 80 * validity Validity, 81 * subject Name, 82 * subjectPublicKeyInfo SubjectPublicKeyInfo, 83 * } 84 * </pre> 85 * <p> 86 * Here is sample code to instantiate an X.509 certificate: 87 * <pre> 88 * InputStream inStream = new FileInputStream("fileName-of-cert"); 89 * X509Certificate cert = X509Certificate.getInstance(inStream); 90 * inStream.close(); 91 * </pre> 92 * OR 93 * <pre> 94 * byte[] certData = <certificate read from a file, say> 95 * X509Certificate cert = X509Certificate.getInstance(certData); 96 * </pre> 97 * <p> 98 * In either case, the code that instantiates an X.509 certificate 99 * consults the value of the {@code cert.provider.x509v1} security property 100 * to locate the actual implementation or instantiates a default implementation. 101 * <p> 102 * The {@code cert.provider.x509v1} property is set to a default 103 * implementation for X.509 such as: 104 * <pre> 105 * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl 106 * </pre> 107 * <p> 108 * The value of this {@code cert.provider.x509v1} property has to be 109 * changed to instantiate another implementation. If this security 110 * property is not set, a default implementation will be used. 111 * Currently, due to possible security restrictions on access to 112 * Security properties, this value is looked up and cached at class 113 * initialization time and will fallback on a default implementation if 114 * the Security property is not accessible. 115 * 116 * <p><em>Note: The classes in the package {@code javax.security.cert} 117 * exist for compatibility with earlier versions of the 118 * Java Secure Sockets Extension (JSSE). New applications should instead 119 * use the standard Java SE certificate classes located in 120 * {@code java.security.cert}.</em></p> 121 * 122 * @author Hemma Prafullchandra 123 * @since 1.4 124 * @see Certificate 125 * @see java.security.cert.X509Extension 126 * @see java.security.Security security properties 127 * @deprecated Use the classes in {@code java.security.cert} instead. 128 */ 129 @SuppressWarnings("removal") 130 @Deprecated(since="9", forRemoval=true) 131 public abstract class X509Certificate extends Certificate { 132 133 /** 134 * Constant to lookup in the Security properties file. 135 * In the Security properties file the default implementation 136 * for X.509 v3 is given as: 137 * <pre> 138 * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl 139 * </pre> 140 */ 141 private static final String X509_PROVIDER = "cert.provider.x509v1"; 142 private static String X509Provider; 143 144 static { 145 X509Provider = AccessController.doPrivileged( 146 new PrivilegedAction<>() { 147 public String run() { 148 return Security.getProperty(X509_PROVIDER); 149 } 150 } 151 ); 152 } 153 154 /** 155 * Instantiates an X509Certificate object, and initializes it with 156 * the data read from the input stream {@code inStream}. 157 * The implementation (X509Certificate is an abstract class) is 158 * provided by the class specified as the value of the 159 * {@code cert.provider.x509v1} security property. 160 * 161 * <p>Note: Only one DER-encoded 162 * certificate is expected to be in the input stream. 163 * Also, all X509Certificate 164 * subclasses must provide a constructor of the form: 165 * <pre>{@code 166 * public <subClass>(InputStream inStream) ... 167 * }</pre> 168 * 169 * @param inStream an input stream with the data to be read to 170 * initialize the certificate. 171 * @return an X509Certificate object initialized with the data 172 * from the input stream. 173 * @exception CertificateException if a class initialization 174 * or certificate parsing error occurs. 175 */ 176 public static final X509Certificate getInstance(InputStream inStream) 177 throws CertificateException { 178 return getInst((Object)inStream); 179 } 180 181 /** 182 * Instantiates an X509Certificate object, and initializes it with 183 * the specified byte array. 184 * The implementation (X509Certificate is an abstract class) is 185 * provided by the class specified as the value of the 186 * {@code cert.provider.x509v1} security property. 187 * 188 * <p>Note: All X509Certificate 189 * subclasses must provide a constructor of the form: 190 * <pre>{@code 191 * public <subClass>(InputStream inStream) ... 192 * }</pre> 193 * 194 * @param certData a byte array containing the DER-encoded 195 * certificate. 196 * @return an X509Certificate object initialized with the data 197 * from {@code certData}. 198 * @exception CertificateException if a class initialization 199 * or certificate parsing error occurs. 200 */ 201 public static final X509Certificate getInstance(byte[] certData) 202 throws CertificateException { 203 return getInst((Object)certData); 204 } 205 206 private static final X509Certificate getInst(Object value) 207 throws CertificateException { 208 /* 209 * This turns out not to work for now. To run under JDK1.2 we would 210 * need to call beginPrivileged() but we can't do that and run 211 * under JDK1.1. 212 */ 213 String className = X509Provider; 214 if (className == null || className.isEmpty()) { 215 // shouldn't happen, but assume corrupted properties file 216 // provide access to sun implementation 217 className = "com.sun.security.cert.internal.x509.X509V1CertImpl"; 218 } 219 try { 220 Class<?>[] params = null; 221 if (value instanceof InputStream) { 222 params = new Class<?>[] { InputStream.class }; 223 } else if (value instanceof byte[]) { 224 params = new Class<?>[] { value.getClass() }; 225 } else 226 throw new CertificateException("Unsupported argument type"); 227 Class<?> certClass = Class.forName(className); 228 229 // get the appropriate constructor and instantiate it 230 Constructor<?> cons = certClass.getConstructor(params); 231 232 // get a new instance 233 Object obj = cons.newInstance(new Object[] {value}); 234 return (X509Certificate)obj; 235 236 } catch (ClassNotFoundException e) { 237 throw new CertificateException("Could not find class: " + e); 238 } catch (IllegalAccessException e) { 239 throw new CertificateException("Could not access class: " + e); 240 } catch (InstantiationException e) { 241 throw new CertificateException("Problems instantiating: " + e); 242 } catch (InvocationTargetException e) { 243 throw new CertificateException("InvocationTargetException: " 244 + e.getTargetException()); 245 } catch (NoSuchMethodException e) { 246 throw new CertificateException("Could not find class method: " 247 + e.getMessage()); 248 } 249 } 250 251 /** 252 * Checks that the certificate is currently valid. It is if 253 * the current date and time are within the validity period given in the 254 * certificate. 255 * <p> 256 * The validity period consists of two date/time values: 257 * the first and last dates (and times) on which the certificate 258 * is valid. It is defined in 259 * ASN.1 as: 260 * <pre> 261 * validity Validity 262 * 263 * Validity ::= SEQUENCE { 264 * notBefore CertificateValidityDate, 265 * notAfter CertificateValidityDate } 266 * 267 * CertificateValidityDate ::= CHOICE { 268 * utcTime UTCTime, 269 * generalTime GeneralizedTime } 270 * </pre> 271 * 272 * @exception CertificateExpiredException if the certificate has expired. 273 * @exception CertificateNotYetValidException if the certificate is not 274 * yet valid. 275 */ 276 public abstract void checkValidity() 277 throws CertificateExpiredException, CertificateNotYetValidException; 278 279 /** 280 * Checks that the specified date is within the certificate's 281 * validity period. In other words, this determines whether the 282 * certificate would be valid at the specified date/time. 283 * 284 * @param date the Date to check against to see if this certificate 285 * is valid at that date/time. 286 * @exception CertificateExpiredException if the certificate has expired 287 * with respect to the {@code date} supplied. 288 * @exception CertificateNotYetValidException if the certificate is not 289 * yet valid with respect to the {@code date} supplied. 290 * @see #checkValidity() 291 */ 292 public abstract void checkValidity(Date date) 293 throws CertificateExpiredException, CertificateNotYetValidException; 294 295 /** 296 * Gets the {@code version} (version number) value from the 297 * certificate. The ASN.1 definition for this is: 298 * <pre> 299 * version [0] EXPLICIT Version DEFAULT v1 300 * 301 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 302 * </pre> 303 * 304 * @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2. 305 */ 306 public abstract int getVersion(); 307 308 /** 309 * Gets the {@code serialNumber} value from the certificate. 310 * The serial number is an integer assigned by the certification 311 * authority to each certificate. It must be unique for each 312 * certificate issued by a given CA (i.e., the issuer name and 313 * serial number identify a unique certificate). 314 * The ASN.1 definition for this is: 315 * <pre> 316 * serialNumber CertificateSerialNumber 317 * 318 * CertificateSerialNumber ::= INTEGER 319 * </pre> 320 * 321 * @return the serial number. 322 */ 323 public abstract BigInteger getSerialNumber(); 324 325 /** 326 * Gets the {@code issuer} (issuer distinguished name) value from 327 * the certificate. The issuer name identifies the entity that signed (and 328 * issued) the certificate. 329 * 330 * <p>The issuer name field contains an 331 * X.500 distinguished name (DN). 332 * The ASN.1 definition for this is: 333 * <pre> 334 * issuer Name 335 * 336 * Name ::= CHOICE { RDNSequence } 337 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 338 * RelativeDistinguishedName ::= 339 * SET OF AttributeValueAssertion 340 * 341 * AttributeValueAssertion ::= SEQUENCE { 342 * AttributeType, 343 * AttributeValue } 344 * AttributeType ::= OBJECT IDENTIFIER 345 * AttributeValue ::= ANY 346 * </pre> 347 * The {@code Name} describes a hierarchical name composed of 348 * attributes, such as country name, and corresponding values, such as US. 349 * The type of the {@code AttributeValue} component is determined by 350 * the {@code AttributeType}; in general it will be a 351 * {@code directoryString}. A {@code directoryString} is usually 352 * one of {@code PrintableString}, 353 * {@code TeletexString} or {@code UniversalString}. 354 * 355 * @return a Principal whose name is the issuer distinguished name. 356 */ 357 public abstract Principal getIssuerDN(); 358 359 /** 360 * Gets the {@code subject} (subject distinguished name) value 361 * from the certificate. 362 * The ASN.1 definition for this is: 363 * <pre> 364 * subject Name 365 * </pre> 366 * 367 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 368 * and other relevant definitions. 369 * 370 * @return a Principal whose name is the subject name. 371 * @see #getIssuerDN() 372 */ 373 public abstract Principal getSubjectDN(); 374 375 /** 376 * Gets the {@code notBefore} date from the validity period of 377 * the certificate. 378 * The relevant ASN.1 definitions are: 379 * <pre> 380 * validity Validity 381 * 382 * Validity ::= SEQUENCE { 383 * notBefore CertificateValidityDate, 384 * notAfter CertificateValidityDate } 385 * 386 * CertificateValidityDate ::= CHOICE { 387 * utcTime UTCTime, 388 * generalTime GeneralizedTime } 389 * </pre> 390 * 391 * @return the start date of the validity period. 392 * @see #checkValidity() 393 */ 394 public abstract Date getNotBefore(); 395 396 /** 397 * Gets the {@code notAfter} date from the validity period of 398 * the certificate. See {@link #getNotBefore() getNotBefore} 399 * for relevant ASN.1 definitions. 400 * 401 * @return the end date of the validity period. 402 * @see #checkValidity() 403 */ 404 public abstract Date getNotAfter(); 405 406 /** 407 * Gets the signature algorithm name for the certificate 408 * signature algorithm. An example is the string "SHA-1/DSA". 409 * The ASN.1 definition for this is: 410 * <pre> 411 * signatureAlgorithm AlgorithmIdentifier 412 * 413 * AlgorithmIdentifier ::= SEQUENCE { 414 * algorithm OBJECT IDENTIFIER, 415 * parameters ANY DEFINED BY algorithm OPTIONAL } 416 * -- contains a value of the type 417 * -- registered for use with the 418 * -- algorithm object identifier value 419 * </pre> 420 * 421 * <p>The algorithm name is determined from the {@code algorithm} 422 * OID string. 423 * 424 * @return the signature algorithm name. 425 */ 426 public abstract String getSigAlgName(); 427 428 /** 429 * Gets the signature algorithm OID string from the certificate. 430 * An OID is represented by a set of positive whole numbers separated 431 * by periods. 432 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 433 * with DSA signature algorithm, as per the PKIX part I. 434 * 435 * <p>See {@link #getSigAlgName() getSigAlgName} for 436 * relevant ASN.1 definitions. 437 * 438 * @return the signature algorithm OID string. 439 */ 440 public abstract String getSigAlgOID(); 441 442 /** 443 * Gets the DER-encoded signature algorithm parameters from this 444 * certificate's signature algorithm. In most cases, the signature 445 * algorithm parameters are null; the parameters are usually 446 * supplied with the certificate's public key. 447 * 448 * <p>See {@link #getSigAlgName() getSigAlgName} for 449 * relevant ASN.1 definitions. 450 * 451 * @return the DER-encoded signature algorithm parameters, or 452 * null if no parameters are present. 453 */ 454 public abstract byte[] getSigAlgParams(); 455 }