1 /*
2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security.cert;
27
28 import java.math.BigInteger;
29 import java.security.*;
30 import java.security.spec.*;
31 import java.util.Collection;
32 import java.util.Date;
33 import java.util.List;
34 import javax.security.auth.x500.X500Principal;
35
36 import sun.security.x509.X509CertImpl;
37 import sun.security.util.SignatureUtil;
38
39 /**
40 * <p>
41 * Abstract class for X.509 certificates. This provides a standard
42 * way to access all the attributes of an X.509 certificate.
43 * <p>
44 * In June of 1996, the basic X.509 v3 format was completed by
45 * ISO/IEC and ANSI X9, which is described below in ASN.1:
46 * <pre>
47 * Certificate ::= SEQUENCE {
48 * tbsCertificate TBSCertificate,
49 * signatureAlgorithm AlgorithmIdentifier,
50 * signature BIT STRING }
51 * </pre>
52 * <p>
53 * These certificates are widely used to support authentication and
54 * other functionality in Internet security systems. Common applications
55 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
56 * code signing for trusted software distribution, and Secure Electronic
57 * Transactions (SET).
58 * <p>
59 * These certificates are managed and vouched for by <em>Certificate
60 * Authorities</em> (CAs). CAs are services which create certificates by
61 * placing data in the X.509 standard format and then digitally signing
62 * that data. CAs act as trusted third parties, making introductions
63 * between principals who have no direct knowledge of each other.
64 * CA certificates are either signed by themselves, or by some other
65 * CA such as a "root" CA.
66 * <p>
67 * More information can be found in
68 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
69 * Public Key Infrastructure Certificate and CRL Profile</a>.
70 * <p>
71 * The ASN.1 definition of {@code tbsCertificate} is:
72 * <pre>
73 * TBSCertificate ::= SEQUENCE {
74 * version [0] EXPLICIT Version DEFAULT v1,
75 * serialNumber CertificateSerialNumber,
76 * signature AlgorithmIdentifier,
77 * issuer Name,
78 * validity Validity,
79 * subject Name,
80 * subjectPublicKeyInfo SubjectPublicKeyInfo,
81 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
82 * -- If present, version must be v2 or v3
83 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
84 * -- If present, version must be v2 or v3
85 * extensions [3] EXPLICIT Extensions OPTIONAL
86 * -- If present, version must be v3
87 * }
88 * </pre>
89 * <p>
90 * Certificates are instantiated using a certificate factory. The following is
91 * an example of how to instantiate an X.509 certificate:
92 * <pre>
93 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
94 * CertificateFactory cf = CertificateFactory.getInstance("X.509");
95 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
96 * }
97 * </pre>
98 *
99 * @author Hemma Prafullchandra
100 * @since 1.2
101 *
102 *
103 * @see Certificate
104 * @see CertificateFactory
105 * @see X509Extension
106 */
107
108 public abstract class X509Certificate extends Certificate
109 implements X509Extension {
110
111 @java.io.Serial
112 private static final long serialVersionUID = -2491127588187038216L;
113
114 private transient X500Principal subjectX500Principal, issuerX500Principal;
115
116 /**
117 * Constructor for X.509 certificates.
118 */
119 protected X509Certificate() {
120 super("X.509");
121 }
122
123 /**
124 * Checks that the certificate is currently valid. It is if
125 * the current date and time are within the validity period given in the
126 * certificate.
127 * <p>
128 * The validity period consists of two date/time values:
129 * the first and last dates (and times) on which the certificate
130 * is valid. It is defined in
131 * ASN.1 as:
132 * <pre>
133 * validity Validity
134 *
135 * Validity ::= SEQUENCE {
136 * notBefore CertificateValidityDate,
137 * notAfter CertificateValidityDate }
138 *
139 * CertificateValidityDate ::= CHOICE {
140 * utcTime UTCTime,
141 * generalTime GeneralizedTime }
142 * </pre>
143 *
144 * @throws CertificateExpiredException if the certificate has expired.
145 * @throws CertificateNotYetValidException if the certificate is not
146 * yet valid.
147 */
148 public abstract void checkValidity()
149 throws CertificateExpiredException, CertificateNotYetValidException;
150
151 /**
152 * Checks that the given date is within the certificate's
153 * validity period. In other words, this determines whether the
154 * certificate would be valid at the given date/time.
155 *
156 * @param date the Date to check against to see if this certificate
157 * is valid at that date/time.
158 *
159 * @throws CertificateExpiredException if the certificate has expired
160 * with respect to the {@code date} supplied.
161 * @throws CertificateNotYetValidException if the certificate is not
162 * yet valid with respect to the {@code date} supplied.
163 *
164 * @see #checkValidity()
165 */
166 public abstract void checkValidity(Date date)
167 throws CertificateExpiredException, CertificateNotYetValidException;
168
169 /**
170 * Gets the {@code version} (version number) value from the
171 * certificate.
172 * The ASN.1 definition for this is:
173 * <pre>
174 * version [0] EXPLICIT Version DEFAULT v1
175 *
176 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
177 * </pre>
178 * @return the version number, i.e. 1, 2 or 3.
179 */
180 public abstract int getVersion();
181
182 /**
183 * Gets the {@code serialNumber} value from the certificate.
184 * The serial number is an integer assigned by the certification
185 * authority to each certificate. It must be unique for each
186 * certificate issued by a given CA (i.e., the issuer name and
187 * serial number identify a unique certificate).
188 * The ASN.1 definition for this is:
189 * <pre>
190 * serialNumber CertificateSerialNumber
191 *
192 * CertificateSerialNumber ::= INTEGER
193 * </pre>
194 *
195 * @return the serial number.
196 */
197 public abstract BigInteger getSerialNumber();
198
199 /**
200 * <strong>Denigrated</strong>, replaced by {@linkplain
201 * #getIssuerX500Principal()}. This method returns the {@code issuer}
202 * as an implementation specific Principal object, which should not be
203 * relied upon by portable code.
204 *
205 * <p>
206 * Gets the {@code issuer} (issuer distinguished name) value from
207 * the certificate. The issuer name identifies the entity that signed (and
208 * issued) the certificate.
209 *
210 * <p>The issuer name field contains an
211 * X.500 distinguished name (DN).
212 * The ASN.1 definition for this is:
213 * <pre>
214 * issuer Name
215 *
216 * Name ::= CHOICE { RDNSequence }
217 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
218 * RelativeDistinguishedName ::=
219 * SET OF AttributeValueAssertion
220 *
221 * AttributeValueAssertion ::= SEQUENCE {
222 * AttributeType,
223 * AttributeValue }
224 * AttributeType ::= OBJECT IDENTIFIER
225 * AttributeValue ::= ANY
226 * </pre>
227 * The {@code Name} describes a hierarchical name composed of
228 * attributes,
229 * such as country name, and corresponding values, such as US.
230 * The type of the {@code AttributeValue} component is determined by
231 * the {@code AttributeType}; in general it will be a
232 * {@code directoryString}. A {@code directoryString} is usually
233 * one of {@code PrintableString},
234 * {@code TeletexString} or {@code UniversalString}.
235 *
236 * @return a Principal whose name is the issuer distinguished name.
237 */
238 public abstract Principal getIssuerDN();
239
240 /**
241 * Returns the issuer (issuer distinguished name) value from the
242 * certificate as an {@code X500Principal}.
243 * <p>
244 * It is recommended that subclasses override this method.
245 *
246 * @return an {@code X500Principal} representing the issuer
247 * distinguished name
248 * @since 1.4
249 */
250 public X500Principal getIssuerX500Principal() {
251 if (issuerX500Principal == null) {
252 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
253 }
254 return issuerX500Principal;
255 }
256
257 /**
258 * <strong>Denigrated</strong>, replaced by {@linkplain
259 * #getSubjectX500Principal()}. This method returns the {@code subject}
260 * as an implementation specific Principal object, which should not be
261 * relied upon by portable code.
262 *
263 * <p>
264 * Gets the {@code subject} (subject distinguished name) value
265 * from the certificate. If the {@code subject} value is empty,
266 * then the {@code getName()} method of the returned
267 * {@code Principal} object returns an empty string ("").
268 *
269 * <p> The ASN.1 definition for this is:
270 * <pre>
271 * subject Name
272 * </pre>
273 *
274 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
275 * and other relevant definitions.
276 *
277 * @return a Principal whose name is the subject name.
278 */
279 public abstract Principal getSubjectDN();
280
281 /**
282 * Returns the subject (subject distinguished name) value from the
283 * certificate as an {@code X500Principal}. If the subject value
284 * is empty, then the {@code getName()} method of the returned
285 * {@code X500Principal} object returns an empty string ("").
286 * <p>
287 * It is recommended that subclasses override this method.
288 *
289 * @return an {@code X500Principal} representing the subject
290 * distinguished name
291 * @since 1.4
292 */
293 public X500Principal getSubjectX500Principal() {
294 if (subjectX500Principal == null) {
295 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
296 }
297 return subjectX500Principal;
298 }
299
300 /**
301 * Gets the {@code notBefore} date from the validity period of
302 * the certificate.
303 * The relevant ASN.1 definitions are:
304 * <pre>
305 * validity Validity
306 *
307 * Validity ::= SEQUENCE {
308 * notBefore CertificateValidityDate,
309 * notAfter CertificateValidityDate }
310 *
311 * CertificateValidityDate ::= CHOICE {
312 * utcTime UTCTime,
313 * generalTime GeneralizedTime }
314 * </pre>
315 *
316 * @return the start date of the validity period.
317 * @see #checkValidity
318 */
319 public abstract Date getNotBefore();
320
321 /**
322 * Gets the {@code notAfter} date from the validity period of
323 * the certificate. See {@link #getNotBefore() getNotBefore}
324 * for relevant ASN.1 definitions.
325 *
326 * @return the end date of the validity period.
327 * @see #checkValidity
328 */
329 public abstract Date getNotAfter();
330
331 /**
332 * Gets the DER-encoded certificate information, the
333 * {@code tbsCertificate} from this certificate.
334 * This can be used to verify the signature independently.
335 *
336 * @return the DER-encoded certificate information.
337 * @throws CertificateEncodingException if an encoding error occurs.
338 */
339 public abstract byte[] getTBSCertificate()
340 throws CertificateEncodingException;
341
342 /**
343 * Gets the {@code signature} value (the raw signature bits) from
344 * the certificate.
345 * The ASN.1 definition for this is:
346 * <pre>
347 * signature BIT STRING
348 * </pre>
349 *
350 * @return the signature.
351 */
352 public abstract byte[] getSignature();
353
354 /**
355 * Gets the signature algorithm name for the certificate
356 * signature algorithm. An example is the string "SHA256withRSA".
357 * The ASN.1 definition for this is:
358 * <pre>
359 * signatureAlgorithm AlgorithmIdentifier
360 *
361 * AlgorithmIdentifier ::= SEQUENCE {
362 * algorithm OBJECT IDENTIFIER,
363 * parameters ANY DEFINED BY algorithm OPTIONAL }
364 * -- contains a value of the type
365 * -- registered for use with the
366 * -- algorithm object identifier value
367 * </pre>
368 *
369 * <p>The algorithm name is determined from the {@code algorithm}
370 * OID string.
371 *
372 * @return the signature algorithm name.
373 */
374 public abstract String getSigAlgName();
375
376 /**
377 * Gets the signature algorithm OID string from the certificate.
378 * An OID is represented by a set of nonnegative whole numbers separated
379 * by periods.
380 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
381 * with DSA signature algorithm defined in
382 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
383 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
384 * and CRL Profile</a>.
385 *
386 * <p>See {@link #getSigAlgName() getSigAlgName} for
387 * relevant ASN.1 definitions.
388 *
389 * @return the signature algorithm OID string.
390 */
391 public abstract String getSigAlgOID();
392
393 /**
394 * Gets the DER-encoded signature algorithm parameters from this
395 * certificate's signature algorithm. In most cases, the signature
396 * algorithm parameters are null; the parameters are usually
397 * supplied with the certificate's public key.
398 * If access to individual parameter values is needed then use
399 * {@link java.security.AlgorithmParameters AlgorithmParameters}
400 * and instantiate with the name returned by
401 * {@link #getSigAlgName() getSigAlgName}.
402 *
403 * <p>See {@link #getSigAlgName() getSigAlgName} for
404 * relevant ASN.1 definitions.
405 *
406 * @return the DER-encoded signature algorithm parameters, or
407 * null if no parameters are present.
408 */
409 public abstract byte[] getSigAlgParams();
410
411 /**
412 * Gets the {@code issuerUniqueID} value from the certificate.
413 * The issuer unique identifier is present in the certificate
414 * to handle the possibility of reuse of issuer names over time.
415 * RFC 5280 recommends that names not be reused and that
416 * conforming certificates not make use of unique identifiers.
417 * Applications conforming to that profile should be capable of
418 * parsing unique identifiers and making comparisons.
419 *
420 * <p>The ASN.1 definition for this is:
421 * <pre>
422 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL
423 *
424 * UniqueIdentifier ::= BIT STRING
425 * </pre>
426 *
427 * @return the issuer unique identifier or null if it is not
428 * present in the certificate.
429 */
430 public abstract boolean[] getIssuerUniqueID();
431
432 /**
433 * Gets the {@code subjectUniqueID} value from the certificate.
434 *
435 * <p>The ASN.1 definition for this is:
436 * <pre>
437 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
438 *
439 * UniqueIdentifier ::= BIT STRING
440 * </pre>
441 *
442 * @return the subject unique identifier or null if it is not
443 * present in the certificate.
444 */
445 public abstract boolean[] getSubjectUniqueID();
446
447 /**
448 * Gets a boolean array representing bits of
449 * the {@code KeyUsage} extension, (OID = 2.5.29.15).
450 * The key usage extension defines the purpose (e.g., encipherment,
451 * signature, certificate signing) of the key contained in the
452 * certificate.
453 * The ASN.1 definition for this is:
454 * <pre>
455 * KeyUsage ::= BIT STRING {
456 * digitalSignature (0),
457 * nonRepudiation (1),
458 * keyEncipherment (2),
459 * dataEncipherment (3),
460 * keyAgreement (4),
461 * keyCertSign (5),
462 * cRLSign (6),
463 * encipherOnly (7),
464 * decipherOnly (8) }
465 * </pre>
466 * RFC 5280 recommends that when used, this be marked
467 * as a critical extension.
468 *
469 * @return the KeyUsage extension of this certificate, represented as
470 * an array of booleans. The order of KeyUsage values in the array is
471 * the same as in the above ASN.1 definition. The array will contain a
472 * value for each KeyUsage defined above. If the KeyUsage list encoded
473 * in the certificate is longer than the above list, it will not be
474 * truncated. Returns null if this certificate does not
475 * contain a KeyUsage extension.
476 */
477 public abstract boolean[] getKeyUsage();
478
479 /**
480 * Gets an unmodifiable list of Strings representing the OBJECT
481 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
482 * extended key usage extension, (OID = 2.5.29.37). It indicates
483 * one or more purposes for which the certified public key may be
484 * used, in addition to or in place of the basic purposes
485 * indicated in the key usage extension field. The ASN.1
486 * definition for this is:
487 * <pre>
488 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
489 *
490 * KeyPurposeId ::= OBJECT IDENTIFIER
491 * </pre>
492 *
493 * Key purposes may be defined by any organization with a
494 * need. Object identifiers used to identify key purposes shall be
495 * assigned in accordance with IANA or ITU-T Rec. X.660 |
496 * ISO/IEC/ITU 9834-1.
497 * <p>
498 * This method was added to version 1.4 of the Java 2 Platform Standard
499 * Edition. In order to maintain backwards compatibility with existing
500 * service providers, this method is not {@code abstract}
501 * and it provides a default implementation. Subclasses
502 * should override this method with a correct implementation.
503 *
504 * @return the ExtendedKeyUsage extension of this certificate,
505 * as an unmodifiable list of object identifiers represented
506 * as Strings. Returns null if this certificate does not
507 * contain an ExtendedKeyUsage extension.
508 * @throws CertificateParsingException if the extension cannot be decoded
509 * @since 1.4
510 */
511 public List<String> getExtendedKeyUsage() throws CertificateParsingException {
512 return X509CertImpl.getExtendedKeyUsage(this);
513 }
514
515 /**
516 * Gets the certificate constraints path length from the
517 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
518 * <p>
519 * The basic constraints extension identifies whether the subject
520 * of the certificate is a Certificate Authority (CA) and
521 * how deep a certification path may exist through that CA. The
522 * {@code pathLenConstraint} field (see below) is meaningful
523 * only if {@code cA} is set to TRUE. In this case, it gives the
524 * maximum number of CA certificates that may follow this certificate in a
525 * certification path. A value of zero indicates that only an end-entity
526 * certificate may follow in the path.
527 * <p>
528 * The ASN.1 definition for this is:
529 * <pre>
530 * BasicConstraints ::= SEQUENCE {
531 * cA BOOLEAN DEFAULT FALSE,
532 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
533 * </pre>
534 *
535 * @return the value of {@code pathLenConstraint} if the
536 * BasicConstraints extension is present in the certificate and the
537 * subject of the certificate is a CA, otherwise -1.
538 * If the subject of the certificate is a CA and
539 * {@code pathLenConstraint} does not appear,
540 * {@code Integer.MAX_VALUE} is returned to indicate that there is no
541 * limit to the allowed length of the certification path.
542 */
543 public abstract int getBasicConstraints();
544
545 /**
546 * Gets an immutable collection of subject alternative names from the
547 * {@code SubjectAltName} extension, (OID = 2.5.29.17).
548 * <p>
549 * The ASN.1 definition of the {@code SubjectAltName} extension is:
550 * <pre>
551 * SubjectAltName ::= GeneralNames
552 *
553 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
554 *
555 * GeneralName ::= CHOICE {
556 * otherName [0] OtherName,
557 * rfc822Name [1] IA5String,
558 * dNSName [2] IA5String,
559 * x400Address [3] ORAddress,
560 * directoryName [4] Name,
561 * ediPartyName [5] EDIPartyName,
562 * uniformResourceIdentifier [6] IA5String,
563 * iPAddress [7] OCTET STRING,
564 * registeredID [8] OBJECT IDENTIFIER}
565 * </pre>
566 * <p>
567 * If this certificate does not contain a {@code SubjectAltName}
568 * extension, {@code null} is returned. Otherwise, a
569 * {@code Collection} is returned with an entry representing each
570 * {@code GeneralName} included in the extension. Each entry is a
571 * {@code List} whose first entry is an {@code Integer}
572 * (the name type, 0-8) and whose second entry is a {@code String}
573 * or a byte array (the name, in string or ASN.1 DER encoded form,
574 * respectively).
575 * <p>
576 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
577 * names are returned as {@code String}s,
578 * using the well-established string formats for those types (subject to
579 * the restrictions included in RFC 5280). IPv4 address names are
580 * returned using dotted quad notation. IPv6 address names are returned
581 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
582 * representing the eight 16-bit pieces of the address. OID names are
583 * returned as {@code String}s represented as a series of nonnegative
584 * integers separated by periods. And directory names (distinguished names)
585 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
586 * RFC 2253</a> string format. No standard string format is
587 * defined for otherNames, X.400 names, EDI party names, or any
588 * other type of names. They are returned as byte arrays
589 * containing the ASN.1 DER encoded form of the name.
590 * <p>
591 * Note that the {@code Collection} returned may contain more
592 * than one name of the same type. Also, note that the returned
593 * {@code Collection} is immutable and any entries containing byte
594 * arrays are cloned to protect against subsequent modifications.
595 * <p>
596 * This method was added to version 1.4 of the Java 2 Platform Standard
597 * Edition. In order to maintain backwards compatibility with existing
598 * service providers, this method is not {@code abstract}
599 * and it provides a default implementation. Subclasses
600 * should override this method with a correct implementation.
601 *
602 * @return an immutable {@code Collection} of subject alternative
603 * names (or {@code null})
604 * @throws CertificateParsingException if the extension cannot be decoded
605 * @since 1.4
606 */
607 public Collection<List<?>> getSubjectAlternativeNames()
608 throws CertificateParsingException {
609 return X509CertImpl.getSubjectAlternativeNames(this);
610 }
611
612 /**
613 * Gets an immutable collection of issuer alternative names from the
614 * {@code IssuerAltName} extension, (OID = 2.5.29.18).
615 * <p>
616 * The ASN.1 definition of the {@code IssuerAltName} extension is:
617 * <pre>
618 * IssuerAltName ::= GeneralNames
619 * </pre>
620 * The ASN.1 definition of {@code GeneralNames} is defined
621 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
622 * <p>
623 * If this certificate does not contain an {@code IssuerAltName}
624 * extension, {@code null} is returned. Otherwise, a
625 * {@code Collection} is returned with an entry representing each
626 * {@code GeneralName} included in the extension. Each entry is a
627 * {@code List} whose first entry is an {@code Integer}
628 * (the name type, 0-8) and whose second entry is a {@code String}
629 * or a byte array (the name, in string or ASN.1 DER encoded form,
630 * respectively). For more details about the formats used for each
631 * name type, see the {@code getSubjectAlternativeNames} method.
632 * <p>
633 * Note that the {@code Collection} returned may contain more
634 * than one name of the same type. Also, note that the returned
635 * {@code Collection} is immutable and any entries containing byte
636 * arrays are cloned to protect against subsequent modifications.
637 * <p>
638 * This method was added to version 1.4 of the Java 2 Platform Standard
639 * Edition. In order to maintain backwards compatibility with existing
640 * service providers, this method is not {@code abstract}
641 * and it provides a default implementation. Subclasses
642 * should override this method with a correct implementation.
643 *
644 * @return an immutable {@code Collection} of issuer alternative
645 * names (or {@code null})
646 * @throws CertificateParsingException if the extension cannot be decoded
647 * @since 1.4
648 */
649 public Collection<List<?>> getIssuerAlternativeNames()
650 throws CertificateParsingException {
651 return X509CertImpl.getIssuerAlternativeNames(this);
652 }
653
654 /**
655 * Verifies that this certificate was signed using the
656 * private key that corresponds to the specified public key.
657 * This method uses the signature verification engine
658 * supplied by the specified provider. Note that the specified
659 * Provider object does not have to be registered in the provider list.
660 *
661 * This method was added to version 1.8 of the Java Platform Standard
662 * Edition. In order to maintain backwards compatibility with existing
663 * service providers, this method is not {@code abstract}
664 * and it provides a default implementation.
665 *
666 * @param key the PublicKey used to carry out the verification.
667 * @param sigProvider the signature provider.
668 *
669 * @throws NoSuchAlgorithmException on unsupported signature
670 * algorithms.
671 * @throws InvalidKeyException on incorrect key.
672 * @throws SignatureException on signature errors.
673 * @throws CertificateException on encoding errors.
674 * @throws UnsupportedOperationException if the method is not supported
675 * @since 1.8
676 */
677 public void verify(PublicKey key, Provider sigProvider)
678 throws CertificateException, NoSuchAlgorithmException,
679 InvalidKeyException, SignatureException {
680 String sigName = getSigAlgName();
681 Signature sig = (sigProvider == null)
682 ? Signature.getInstance(sigName)
683 : Signature.getInstance(sigName, sigProvider);
684
685 try {
686 SignatureUtil.initVerifyWithParam(sig, key,
687 SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
688 } catch (ProviderException e) {
689 throw new CertificateException(e.getMessage(), e.getCause());
690 } catch (InvalidAlgorithmParameterException e) {
691 throw new CertificateException(e);
692 }
693
694 byte[] tbsCert = getTBSCertificate();
695 sig.update(tbsCert, 0, tbsCert.length);
696
697 if (sig.verify(getSignature()) == false) {
698 throw new SignatureException("Signature does not match.");
699 }
700 }
701 }