1 /* 2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.math.BigInteger; 29 import java.security.*; 30 import java.security.spec.*; 31 import java.util.Collection; 32 import java.util.Date; 33 import java.util.List; 34 import javax.security.auth.x500.X500Principal; 35 36 import sun.security.x509.X509CertImpl; 37 import sun.security.util.SignatureUtil; 38 39 /** 40 * <p> 41 * Abstract class for X.509 certificates. This provides a standard 42 * way to access all the attributes of an X.509 certificate. 43 * <p> 44 * In June of 1996, the basic X.509 v3 format was completed by 45 * ISO/IEC and ANSI X9, which is described below in ASN.1: 46 * <pre> 47 * Certificate ::= SEQUENCE { 48 * tbsCertificate TBSCertificate, 49 * signatureAlgorithm AlgorithmIdentifier, 50 * signature BIT STRING } 51 * </pre> 52 * <p> 53 * These certificates are widely used to support authentication and 54 * other functionality in Internet security systems. Common applications 55 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), 56 * code signing for trusted software distribution, and Secure Electronic 57 * Transactions (SET). 58 * <p> 59 * These certificates are managed and vouched for by <em>Certificate 60 * Authorities</em> (CAs). CAs are services which create certificates by 61 * placing data in the X.509 standard format and then digitally signing 62 * that data. CAs act as trusted third parties, making introductions 63 * between principals who have no direct knowledge of each other. 64 * CA certificates are either signed by themselves, or by some other 65 * CA such as a "root" CA. 66 * <p> 67 * More information can be found in 68 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 69 * Public Key Infrastructure Certificate and CRL Profile</a>. 70 * <p> 71 * The ASN.1 definition of {@code tbsCertificate} is: 72 * <pre> 73 * TBSCertificate ::= SEQUENCE { 74 * version [0] EXPLICIT Version DEFAULT v1, 75 * serialNumber CertificateSerialNumber, 76 * signature AlgorithmIdentifier, 77 * issuer Name, 78 * validity Validity, 79 * subject Name, 80 * subjectPublicKeyInfo SubjectPublicKeyInfo, 81 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 82 * -- If present, version must be v2 or v3 83 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 84 * -- If present, version must be v2 or v3 85 * extensions [3] EXPLICIT Extensions OPTIONAL 86 * -- If present, version must be v3 87 * } 88 * </pre> 89 * <p> 90 * Certificates are instantiated using a certificate factory. The following is 91 * an example of how to instantiate an X.509 certificate: 92 * <pre> 93 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) { 94 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 95 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); 96 * } 97 * </pre> 98 * 99 * @author Hemma Prafullchandra 100 * @since 1.2 101 * 102 * 103 * @see Certificate 104 * @see CertificateFactory 105 * @see X509Extension 106 */ 107 108 public abstract class X509Certificate extends Certificate 109 implements X509Extension { 110 111 @java.io.Serial 112 private static final long serialVersionUID = -2491127588187038216L; 113 114 private transient X500Principal subjectX500Principal, issuerX500Principal; 115 116 /** 117 * Constructor for X.509 certificates. 118 */ 119 protected X509Certificate() { 120 super("X.509"); 121 } 122 123 /** 124 * Checks that the certificate is currently valid. It is if 125 * the current date and time are within the validity period given in the 126 * certificate. 127 * <p> 128 * The validity period consists of two date/time values: 129 * the first and last dates (and times) on which the certificate 130 * is valid. It is defined in 131 * ASN.1 as: 132 * <pre> 133 * validity Validity 134 * 135 * Validity ::= SEQUENCE { 136 * notBefore CertificateValidityDate, 137 * notAfter CertificateValidityDate } 138 * 139 * CertificateValidityDate ::= CHOICE { 140 * utcTime UTCTime, 141 * generalTime GeneralizedTime } 142 * </pre> 143 * 144 * @throws CertificateExpiredException if the certificate has expired. 145 * @throws CertificateNotYetValidException if the certificate is not 146 * yet valid. 147 */ 148 public abstract void checkValidity() 149 throws CertificateExpiredException, CertificateNotYetValidException; 150 151 /** 152 * Checks that the given date is within the certificate's 153 * validity period. In other words, this determines whether the 154 * certificate would be valid at the given date/time. 155 * 156 * @param date the Date to check against to see if this certificate 157 * is valid at that date/time. 158 * 159 * @throws CertificateExpiredException if the certificate has expired 160 * with respect to the {@code date} supplied. 161 * @throws CertificateNotYetValidException if the certificate is not 162 * yet valid with respect to the {@code date} supplied. 163 * 164 * @see #checkValidity() 165 */ 166 public abstract void checkValidity(Date date) 167 throws CertificateExpiredException, CertificateNotYetValidException; 168 169 /** 170 * Gets the {@code version} (version number) value from the 171 * certificate. 172 * The ASN.1 definition for this is: 173 * <pre> 174 * version [0] EXPLICIT Version DEFAULT v1 175 * 176 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 177 * </pre> 178 * @return the version number, i.e. 1, 2 or 3. 179 */ 180 public abstract int getVersion(); 181 182 /** 183 * Gets the {@code serialNumber} value from the certificate. 184 * The serial number is an integer assigned by the certification 185 * authority to each certificate. It must be unique for each 186 * certificate issued by a given CA (i.e., the issuer name and 187 * serial number identify a unique certificate). 188 * The ASN.1 definition for this is: 189 * <pre> 190 * serialNumber CertificateSerialNumber 191 * 192 * CertificateSerialNumber ::= INTEGER 193 * </pre> 194 * 195 * @return the serial number. 196 */ 197 public abstract BigInteger getSerialNumber(); 198 199 /** 200 * <strong>Denigrated</strong>, replaced by {@linkplain 201 * #getIssuerX500Principal()}. This method returns the {@code issuer} 202 * as an implementation specific Principal object, which should not be 203 * relied upon by portable code. 204 * 205 * <p> 206 * Gets the {@code issuer} (issuer distinguished name) value from 207 * the certificate. The issuer name identifies the entity that signed (and 208 * issued) the certificate. 209 * 210 * <p>The issuer name field contains an 211 * X.500 distinguished name (DN). 212 * The ASN.1 definition for this is: 213 * <pre> 214 * issuer Name 215 * 216 * Name ::= CHOICE { RDNSequence } 217 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 218 * RelativeDistinguishedName ::= 219 * SET OF AttributeValueAssertion 220 * 221 * AttributeValueAssertion ::= SEQUENCE { 222 * AttributeType, 223 * AttributeValue } 224 * AttributeType ::= OBJECT IDENTIFIER 225 * AttributeValue ::= ANY 226 * </pre> 227 * The {@code Name} describes a hierarchical name composed of 228 * attributes, 229 * such as country name, and corresponding values, such as US. 230 * The type of the {@code AttributeValue} component is determined by 231 * the {@code AttributeType}; in general it will be a 232 * {@code directoryString}. A {@code directoryString} is usually 233 * one of {@code PrintableString}, 234 * {@code TeletexString} or {@code UniversalString}. 235 * 236 * @return a Principal whose name is the issuer distinguished name. 237 */ 238 public abstract Principal getIssuerDN(); 239 240 /** 241 * Returns the issuer (issuer distinguished name) value from the 242 * certificate as an {@code X500Principal}. 243 * <p> 244 * It is recommended that subclasses override this method. 245 * 246 * @return an {@code X500Principal} representing the issuer 247 * distinguished name 248 * @since 1.4 249 */ 250 public X500Principal getIssuerX500Principal() { 251 if (issuerX500Principal == null) { 252 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this); 253 } 254 return issuerX500Principal; 255 } 256 257 /** 258 * <strong>Denigrated</strong>, replaced by {@linkplain 259 * #getSubjectX500Principal()}. This method returns the {@code subject} 260 * as an implementation specific Principal object, which should not be 261 * relied upon by portable code. 262 * 263 * <p> 264 * Gets the {@code subject} (subject distinguished name) value 265 * from the certificate. If the {@code subject} value is empty, 266 * then the {@code getName()} method of the returned 267 * {@code Principal} object returns an empty string (""). 268 * 269 * <p> The ASN.1 definition for this is: 270 * <pre> 271 * subject Name 272 * </pre> 273 * 274 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name} 275 * and other relevant definitions. 276 * 277 * @return a Principal whose name is the subject name. 278 */ 279 public abstract Principal getSubjectDN(); 280 281 /** 282 * Returns the subject (subject distinguished name) value from the 283 * certificate as an {@code X500Principal}. If the subject value 284 * is empty, then the {@code getName()} method of the returned 285 * {@code X500Principal} object returns an empty string (""). 286 * <p> 287 * It is recommended that subclasses override this method. 288 * 289 * @return an {@code X500Principal} representing the subject 290 * distinguished name 291 * @since 1.4 292 */ 293 public X500Principal getSubjectX500Principal() { 294 if (subjectX500Principal == null) { 295 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this); 296 } 297 return subjectX500Principal; 298 } 299 300 /** 301 * Gets the {@code notBefore} date from the validity period of 302 * the certificate. 303 * The relevant ASN.1 definitions are: 304 * <pre> 305 * validity Validity 306 * 307 * Validity ::= SEQUENCE { 308 * notBefore CertificateValidityDate, 309 * notAfter CertificateValidityDate } 310 * 311 * CertificateValidityDate ::= CHOICE { 312 * utcTime UTCTime, 313 * generalTime GeneralizedTime } 314 * </pre> 315 * 316 * @return the start date of the validity period. 317 * @see #checkValidity 318 */ 319 public abstract Date getNotBefore(); 320 321 /** 322 * Gets the {@code notAfter} date from the validity period of 323 * the certificate. See {@link #getNotBefore() getNotBefore} 324 * for relevant ASN.1 definitions. 325 * 326 * @return the end date of the validity period. 327 * @see #checkValidity 328 */ 329 public abstract Date getNotAfter(); 330 331 /** 332 * Gets the DER-encoded certificate information, the 333 * {@code tbsCertificate} from this certificate. 334 * This can be used to verify the signature independently. 335 * 336 * @return the DER-encoded certificate information. 337 * @throws CertificateEncodingException if an encoding error occurs. 338 */ 339 public abstract byte[] getTBSCertificate() 340 throws CertificateEncodingException; 341 342 /** 343 * Gets the {@code signature} value (the raw signature bits) from 344 * the certificate. 345 * The ASN.1 definition for this is: 346 * <pre> 347 * signature BIT STRING 348 * </pre> 349 * 350 * @return the signature. 351 */ 352 public abstract byte[] getSignature(); 353 354 /** 355 * Gets the signature algorithm name for the certificate 356 * signature algorithm. An example is the string "SHA256withRSA". 357 * The ASN.1 definition for this is: 358 * <pre> 359 * signatureAlgorithm AlgorithmIdentifier 360 * 361 * AlgorithmIdentifier ::= SEQUENCE { 362 * algorithm OBJECT IDENTIFIER, 363 * parameters ANY DEFINED BY algorithm OPTIONAL } 364 * -- contains a value of the type 365 * -- registered for use with the 366 * -- algorithm object identifier value 367 * </pre> 368 * 369 * <p>The algorithm name is determined from the {@code algorithm} 370 * OID string. 371 * 372 * @return the signature algorithm name. 373 */ 374 public abstract String getSigAlgName(); 375 376 /** 377 * Gets the signature algorithm OID string from the certificate. 378 * An OID is represented by a set of nonnegative whole numbers separated 379 * by periods. 380 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 381 * with DSA signature algorithm defined in 382 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 383 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 384 * and CRL Profile</a>. 385 * 386 * <p>See {@link #getSigAlgName() getSigAlgName} for 387 * relevant ASN.1 definitions. 388 * 389 * @return the signature algorithm OID string. 390 */ 391 public abstract String getSigAlgOID(); 392 393 /** 394 * Gets the DER-encoded signature algorithm parameters from this 395 * certificate's signature algorithm. In most cases, the signature 396 * algorithm parameters are null; the parameters are usually 397 * supplied with the certificate's public key. 398 * If access to individual parameter values is needed then use 399 * {@link java.security.AlgorithmParameters AlgorithmParameters} 400 * and instantiate with the name returned by 401 * {@link #getSigAlgName() getSigAlgName}. 402 * 403 * <p>See {@link #getSigAlgName() getSigAlgName} for 404 * relevant ASN.1 definitions. 405 * 406 * @return the DER-encoded signature algorithm parameters, or 407 * null if no parameters are present. 408 */ 409 public abstract byte[] getSigAlgParams(); 410 411 /** 412 * Gets the {@code issuerUniqueID} value from the certificate. 413 * The issuer unique identifier is present in the certificate 414 * to handle the possibility of reuse of issuer names over time. 415 * RFC 5280 recommends that names not be reused and that 416 * conforming certificates not make use of unique identifiers. 417 * Applications conforming to that profile should be capable of 418 * parsing unique identifiers and making comparisons. 419 * 420 * <p>The ASN.1 definition for this is: 421 * <pre> 422 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL 423 * 424 * UniqueIdentifier ::= BIT STRING 425 * </pre> 426 * 427 * @return the issuer unique identifier or null if it is not 428 * present in the certificate. 429 */ 430 public abstract boolean[] getIssuerUniqueID(); 431 432 /** 433 * Gets the {@code subjectUniqueID} value from the certificate. 434 * 435 * <p>The ASN.1 definition for this is: 436 * <pre> 437 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 438 * 439 * UniqueIdentifier ::= BIT STRING 440 * </pre> 441 * 442 * @return the subject unique identifier or null if it is not 443 * present in the certificate. 444 */ 445 public abstract boolean[] getSubjectUniqueID(); 446 447 /** 448 * Gets a boolean array representing bits of 449 * the {@code KeyUsage} extension, (OID = 2.5.29.15). 450 * The key usage extension defines the purpose (e.g., encipherment, 451 * signature, certificate signing) of the key contained in the 452 * certificate. 453 * The ASN.1 definition for this is: 454 * <pre> 455 * KeyUsage ::= BIT STRING { 456 * digitalSignature (0), 457 * nonRepudiation (1), 458 * keyEncipherment (2), 459 * dataEncipherment (3), 460 * keyAgreement (4), 461 * keyCertSign (5), 462 * cRLSign (6), 463 * encipherOnly (7), 464 * decipherOnly (8) } 465 * </pre> 466 * RFC 5280 recommends that when used, this be marked 467 * as a critical extension. 468 * 469 * @return the KeyUsage extension of this certificate, represented as 470 * an array of booleans. The order of KeyUsage values in the array is 471 * the same as in the above ASN.1 definition. The array will contain a 472 * value for each KeyUsage defined above. If the KeyUsage list encoded 473 * in the certificate is longer than the above list, it will not be 474 * truncated. Returns null if this certificate does not 475 * contain a KeyUsage extension. 476 */ 477 public abstract boolean[] getKeyUsage(); 478 479 /** 480 * Gets an unmodifiable list of Strings representing the OBJECT 481 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the 482 * extended key usage extension, (OID = 2.5.29.37). It indicates 483 * one or more purposes for which the certified public key may be 484 * used, in addition to or in place of the basic purposes 485 * indicated in the key usage extension field. The ASN.1 486 * definition for this is: 487 * <pre> 488 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 489 * 490 * KeyPurposeId ::= OBJECT IDENTIFIER 491 * </pre> 492 * 493 * Key purposes may be defined by any organization with a 494 * need. Object identifiers used to identify key purposes shall be 495 * assigned in accordance with IANA or ITU-T Rec. X.660 | 496 * ISO/IEC/ITU 9834-1. 497 * <p> 498 * This method was added to version 1.4 of the Java 2 Platform Standard 499 * Edition. In order to maintain backwards compatibility with existing 500 * service providers, this method is not {@code abstract} 501 * and it provides a default implementation. Subclasses 502 * should override this method with a correct implementation. 503 * 504 * @return the ExtendedKeyUsage extension of this certificate, 505 * as an unmodifiable list of object identifiers represented 506 * as Strings. Returns null if this certificate does not 507 * contain an ExtendedKeyUsage extension. 508 * @throws CertificateParsingException if the extension cannot be decoded 509 * @since 1.4 510 */ 511 public List<String> getExtendedKeyUsage() throws CertificateParsingException { 512 return X509CertImpl.getExtendedKeyUsage(this); 513 } 514 515 /** 516 * Gets the certificate constraints path length from the 517 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19). 518 * <p> 519 * The basic constraints extension identifies whether the subject 520 * of the certificate is a Certificate Authority (CA) and 521 * how deep a certification path may exist through that CA. The 522 * {@code pathLenConstraint} field (see below) is meaningful 523 * only if {@code cA} is set to TRUE. In this case, it gives the 524 * maximum number of CA certificates that may follow this certificate in a 525 * certification path. A value of zero indicates that only an end-entity 526 * certificate may follow in the path. 527 * <p> 528 * The ASN.1 definition for this is: 529 * <pre> 530 * BasicConstraints ::= SEQUENCE { 531 * cA BOOLEAN DEFAULT FALSE, 532 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 533 * </pre> 534 * 535 * @return the value of {@code pathLenConstraint} if the 536 * BasicConstraints extension is present in the certificate and the 537 * subject of the certificate is a CA, otherwise -1. 538 * If the subject of the certificate is a CA and 539 * {@code pathLenConstraint} does not appear, 540 * {@code Integer.MAX_VALUE} is returned to indicate that there is no 541 * limit to the allowed length of the certification path. 542 */ 543 public abstract int getBasicConstraints(); 544 545 /** 546 * Gets an immutable collection of subject alternative names from the 547 * {@code SubjectAltName} extension, (OID = 2.5.29.17). 548 * <p> 549 * The ASN.1 definition of the {@code SubjectAltName} extension is: 550 * <pre> 551 * SubjectAltName ::= GeneralNames 552 * 553 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName 554 * 555 * GeneralName ::= CHOICE { 556 * otherName [0] OtherName, 557 * rfc822Name [1] IA5String, 558 * dNSName [2] IA5String, 559 * x400Address [3] ORAddress, 560 * directoryName [4] Name, 561 * ediPartyName [5] EDIPartyName, 562 * uniformResourceIdentifier [6] IA5String, 563 * iPAddress [7] OCTET STRING, 564 * registeredID [8] OBJECT IDENTIFIER} 565 * </pre> 566 * <p> 567 * If this certificate does not contain a {@code SubjectAltName} 568 * extension, {@code null} is returned. Otherwise, a 569 * {@code Collection} is returned with an entry representing each 570 * {@code GeneralName} included in the extension. Each entry is a 571 * {@code List} whose first entry is an {@code Integer} 572 * (the name type, 0-8) and whose second entry is a {@code String} 573 * or a byte array (the name, in string or ASN.1 DER encoded form, 574 * respectively). 575 * <p> 576 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI 577 * names are returned as {@code String}s, 578 * using the well-established string formats for those types (subject to 579 * the restrictions included in RFC 5280). IPv4 address names are 580 * returned using dotted quad notation. IPv6 address names are returned 581 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values 582 * representing the eight 16-bit pieces of the address. OID names are 583 * returned as {@code String}s represented as a series of nonnegative 584 * integers separated by periods. And directory names (distinguished names) 585 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt"> 586 * RFC 2253</a> string format. No standard string format is 587 * defined for otherNames, X.400 names, EDI party names, or any 588 * other type of names. They are returned as byte arrays 589 * containing the ASN.1 DER encoded form of the name. 590 * <p> 591 * Note that the {@code Collection} returned may contain more 592 * than one name of the same type. Also, note that the returned 593 * {@code Collection} is immutable and any entries containing byte 594 * arrays are cloned to protect against subsequent modifications. 595 * <p> 596 * This method was added to version 1.4 of the Java 2 Platform Standard 597 * Edition. In order to maintain backwards compatibility with existing 598 * service providers, this method is not {@code abstract} 599 * and it provides a default implementation. Subclasses 600 * should override this method with a correct implementation. 601 * 602 * @return an immutable {@code Collection} of subject alternative 603 * names (or {@code null}) 604 * @throws CertificateParsingException if the extension cannot be decoded 605 * @since 1.4 606 */ 607 public Collection<List<?>> getSubjectAlternativeNames() 608 throws CertificateParsingException { 609 return X509CertImpl.getSubjectAlternativeNames(this); 610 } 611 612 /** 613 * Gets an immutable collection of issuer alternative names from the 614 * {@code IssuerAltName} extension, (OID = 2.5.29.18). 615 * <p> 616 * The ASN.1 definition of the {@code IssuerAltName} extension is: 617 * <pre> 618 * IssuerAltName ::= GeneralNames 619 * </pre> 620 * The ASN.1 definition of {@code GeneralNames} is defined 621 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}. 622 * <p> 623 * If this certificate does not contain an {@code IssuerAltName} 624 * extension, {@code null} is returned. Otherwise, a 625 * {@code Collection} is returned with an entry representing each 626 * {@code GeneralName} included in the extension. Each entry is a 627 * {@code List} whose first entry is an {@code Integer} 628 * (the name type, 0-8) and whose second entry is a {@code String} 629 * or a byte array (the name, in string or ASN.1 DER encoded form, 630 * respectively). For more details about the formats used for each 631 * name type, see the {@code getSubjectAlternativeNames} method. 632 * <p> 633 * Note that the {@code Collection} returned may contain more 634 * than one name of the same type. Also, note that the returned 635 * {@code Collection} is immutable and any entries containing byte 636 * arrays are cloned to protect against subsequent modifications. 637 * <p> 638 * This method was added to version 1.4 of the Java 2 Platform Standard 639 * Edition. In order to maintain backwards compatibility with existing 640 * service providers, this method is not {@code abstract} 641 * and it provides a default implementation. Subclasses 642 * should override this method with a correct implementation. 643 * 644 * @return an immutable {@code Collection} of issuer alternative 645 * names (or {@code null}) 646 * @throws CertificateParsingException if the extension cannot be decoded 647 * @since 1.4 648 */ 649 public Collection<List<?>> getIssuerAlternativeNames() 650 throws CertificateParsingException { 651 return X509CertImpl.getIssuerAlternativeNames(this); 652 } 653 654 /** 655 * Verifies that this certificate was signed using the 656 * private key that corresponds to the specified public key. 657 * This method uses the signature verification engine 658 * supplied by the specified provider. Note that the specified 659 * Provider object does not have to be registered in the provider list. 660 * 661 * This method was added to version 1.8 of the Java Platform Standard 662 * Edition. In order to maintain backwards compatibility with existing 663 * service providers, this method is not {@code abstract} 664 * and it provides a default implementation. 665 * 666 * @param key the PublicKey used to carry out the verification. 667 * @param sigProvider the signature provider. 668 * 669 * @throws NoSuchAlgorithmException on unsupported signature 670 * algorithms. 671 * @throws InvalidKeyException on incorrect key. 672 * @throws SignatureException on signature errors. 673 * @throws CertificateException on encoding errors. 674 * @throws UnsupportedOperationException if the method is not supported 675 * @since 1.8 676 */ 677 public void verify(PublicKey key, Provider sigProvider) 678 throws CertificateException, NoSuchAlgorithmException, 679 InvalidKeyException, SignatureException { 680 String sigName = getSigAlgName(); 681 Signature sig = (sigProvider == null) 682 ? Signature.getInstance(sigName) 683 : Signature.getInstance(sigName, sigProvider); 684 685 try { 686 SignatureUtil.initVerifyWithParam(sig, key, 687 SignatureUtil.getParamSpec(sigName, getSigAlgParams())); 688 } catch (ProviderException e) { 689 throw new CertificateException(e.getMessage(), e.getCause()); 690 } catch (InvalidAlgorithmParameterException e) { 691 throw new CertificateException(e); 692 } 693 694 byte[] tbsCert = getTBSCertificate(); 695 sig.update(tbsCert, 0, tbsCert.length); 696 697 if (sig.verify(getSignature()) == false) { 698 throw new SignatureException("Signature does not match."); 699 } 700 } 701 }