1 /*
2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security.cert;
27
28 import java.math.BigInteger;
29 import java.security.*;
30 import java.security.spec.*;
31 import java.util.Collection;
32 import java.util.Date;
33 import java.util.List;
34 import javax.security.auth.x500.X500Principal;
35
36 import sun.security.x509.X509CertImpl;
37 import sun.security.util.SignatureUtil;
38
39 /**
40 * <p>
41 * Abstract class for X.509 certificates. This provides a standard
42 * way to access all the attributes of an X.509 certificate.
43 * <p>
44 * In June of 1996, the basic X.509 v3 format was completed by
45 * ISO/IEC and ANSI X9, which is described below in ASN.1:
46 * <pre>
47 * Certificate ::= SEQUENCE {
48 * tbsCertificate TBSCertificate,
49 * signatureAlgorithm AlgorithmIdentifier,
50 * signature BIT STRING }
51 * </pre>
52 * <p>
53 * These certificates are widely used to support authentication and
54 * other functionality in Internet security systems. Common applications
55 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
56 * code signing for trusted software distribution, and Secure Electronic
57 * Transactions (SET).
58 * <p>
59 * These certificates are managed and vouched for by <em>Certificate
60 * Authorities</em> (CAs). CAs are services which create certificates by
61 * placing data in the X.509 standard format and then digitally signing
62 * that data. CAs act as trusted third parties, making introductions
63 * between principals who have no direct knowledge of each other.
64 * CA certificates are either signed by themselves, or by some other
65 * CA such as a "root" CA.
66 * <p>
67 * More information can be found in
68 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
69 * Public Key Infrastructure Certificate and CRL Profile</a>.
70 * <p>
71 * The ASN.1 definition of {@code tbsCertificate} is:
72 * <pre>
73 * TBSCertificate ::= SEQUENCE {
74 * version [0] EXPLICIT Version DEFAULT v1,
75 * serialNumber CertificateSerialNumber,
76 * signature AlgorithmIdentifier,
77 * issuer Name,
78 * validity Validity,
79 * subject Name,
80 * subjectPublicKeyInfo SubjectPublicKeyInfo,
81 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
82 * -- If present, version must be v2 or v3
83 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
84 * -- If present, version must be v2 or v3
85 * extensions [3] EXPLICIT Extensions OPTIONAL
86 * -- If present, version must be v3
87 * }
88 * </pre>
89 * <p>
90 * Certificates are instantiated using a certificate factory. The following is
91 * an example of how to instantiate an X.509 certificate:
92 * <pre>
93 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
94 * CertificateFactory cf = CertificateFactory.getInstance("X.509");
95 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
96 * }
97 * </pre>
98 *
99 * @author Hemma Prafullchandra
100 * @since 1.2
101 *
102 *
103 * @see Certificate
104 * @see CertificateFactory
105 * @see X509Extension
106 */
107
108 public abstract class X509Certificate extends Certificate
109 implements X509Extension {
110
111 private static final long serialVersionUID = -2491127588187038216L;
112
113 private transient X500Principal subjectX500Principal, issuerX500Principal;
114
115 /**
116 * Constructor for X.509 certificates.
117 */
118 protected X509Certificate() {
119 super("X.509");
120 }
121
122 /**
123 * Checks that the certificate is currently valid. It is if
124 * the current date and time are within the validity period given in the
125 * certificate.
126 * <p>
127 * The validity period consists of two date/time values:
128 * the first and last dates (and times) on which the certificate
129 * is valid. It is defined in
130 * ASN.1 as:
131 * <pre>
132 * validity Validity
133 *
134 * Validity ::= SEQUENCE {
135 * notBefore CertificateValidityDate,
136 * notAfter CertificateValidityDate }
137 *
138 * CertificateValidityDate ::= CHOICE {
139 * utcTime UTCTime,
140 * generalTime GeneralizedTime }
141 * </pre>
142 *
143 * @exception CertificateExpiredException if the certificate has expired.
144 * @exception CertificateNotYetValidException if the certificate is not
145 * yet valid.
146 */
147 public abstract void checkValidity()
148 throws CertificateExpiredException, CertificateNotYetValidException;
149
150 /**
151 * Checks that the given date is within the certificate's
152 * validity period. In other words, this determines whether the
153 * certificate would be valid at the given date/time.
154 *
155 * @param date the Date to check against to see if this certificate
156 * is valid at that date/time.
157 *
158 * @exception CertificateExpiredException if the certificate has expired
159 * with respect to the {@code date} supplied.
160 * @exception CertificateNotYetValidException if the certificate is not
161 * yet valid with respect to the {@code date} supplied.
162 *
163 * @see #checkValidity()
164 */
165 public abstract void checkValidity(Date date)
166 throws CertificateExpiredException, CertificateNotYetValidException;
167
168 /**
169 * Gets the {@code version} (version number) value from the
170 * certificate.
171 * The ASN.1 definition for this is:
172 * <pre>
173 * version [0] EXPLICIT Version DEFAULT v1
174 *
175 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
176 * </pre>
177 * @return the version number, i.e. 1, 2 or 3.
178 */
179 public abstract int getVersion();
180
181 /**
182 * Gets the {@code serialNumber} value from the certificate.
183 * The serial number is an integer assigned by the certification
184 * authority to each certificate. It must be unique for each
185 * certificate issued by a given CA (i.e., the issuer name and
186 * serial number identify a unique certificate).
187 * The ASN.1 definition for this is:
188 * <pre>
189 * serialNumber CertificateSerialNumber
190 *
191 * CertificateSerialNumber ::= INTEGER
192 * </pre>
193 *
194 * @return the serial number.
195 */
196 public abstract BigInteger getSerialNumber();
197
198 /**
199 * <strong>Denigrated</strong>, replaced by {@linkplain
200 * #getIssuerX500Principal()}. This method returns the {@code issuer}
201 * as an implementation specific Principal object, which should not be
202 * relied upon by portable code.
203 *
204 * <p>
205 * Gets the {@code issuer} (issuer distinguished name) value from
206 * the certificate. The issuer name identifies the entity that signed (and
207 * issued) the certificate.
208 *
209 * <p>The issuer name field contains an
210 * X.500 distinguished name (DN).
211 * The ASN.1 definition for this is:
212 * <pre>
213 * issuer Name
214 *
215 * Name ::= CHOICE { RDNSequence }
216 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
217 * RelativeDistinguishedName ::=
218 * SET OF AttributeValueAssertion
219 *
220 * AttributeValueAssertion ::= SEQUENCE {
221 * AttributeType,
222 * AttributeValue }
223 * AttributeType ::= OBJECT IDENTIFIER
224 * AttributeValue ::= ANY
225 * </pre>
226 * The {@code Name} describes a hierarchical name composed of
227 * attributes,
228 * such as country name, and corresponding values, such as US.
229 * The type of the {@code AttributeValue} component is determined by
230 * the {@code AttributeType}; in general it will be a
231 * {@code directoryString}. A {@code directoryString} is usually
232 * one of {@code PrintableString},
233 * {@code TeletexString} or {@code UniversalString}.
234 *
235 * @return a Principal whose name is the issuer distinguished name.
236 */
237 public abstract Principal getIssuerDN();
238
239 /**
240 * Returns the issuer (issuer distinguished name) value from the
241 * certificate as an {@code X500Principal}.
242 * <p>
243 * It is recommended that subclasses override this method.
244 *
245 * @return an {@code X500Principal} representing the issuer
246 * distinguished name
247 * @since 1.4
248 */
249 public X500Principal getIssuerX500Principal() {
250 if (issuerX500Principal == null) {
251 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
252 }
253 return issuerX500Principal;
254 }
255
256 /**
257 * <strong>Denigrated</strong>, replaced by {@linkplain
258 * #getSubjectX500Principal()}. This method returns the {@code subject}
259 * as an implementation specific Principal object, which should not be
260 * relied upon by portable code.
261 *
262 * <p>
263 * Gets the {@code subject} (subject distinguished name) value
264 * from the certificate. If the {@code subject} value is empty,
265 * then the {@code getName()} method of the returned
266 * {@code Principal} object returns an empty string ("").
267 *
268 * <p> The ASN.1 definition for this is:
269 * <pre>
270 * subject Name
271 * </pre>
272 *
273 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
274 * and other relevant definitions.
275 *
276 * @return a Principal whose name is the subject name.
277 */
278 public abstract Principal getSubjectDN();
279
280 /**
281 * Returns the subject (subject distinguished name) value from the
282 * certificate as an {@code X500Principal}. If the subject value
283 * is empty, then the {@code getName()} method of the returned
284 * {@code X500Principal} object returns an empty string ("").
285 * <p>
286 * It is recommended that subclasses override this method.
287 *
288 * @return an {@code X500Principal} representing the subject
289 * distinguished name
290 * @since 1.4
291 */
292 public X500Principal getSubjectX500Principal() {
293 if (subjectX500Principal == null) {
294 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
295 }
296 return subjectX500Principal;
297 }
298
299 /**
300 * Gets the {@code notBefore} date from the validity period of
301 * the certificate.
302 * The relevant ASN.1 definitions are:
303 * <pre>
304 * validity Validity
305 *
306 * Validity ::= SEQUENCE {
307 * notBefore CertificateValidityDate,
308 * notAfter CertificateValidityDate }
309 *
310 * CertificateValidityDate ::= CHOICE {
311 * utcTime UTCTime,
312 * generalTime GeneralizedTime }
313 * </pre>
314 *
315 * @return the start date of the validity period.
316 * @see #checkValidity
317 */
318 public abstract Date getNotBefore();
319
320 /**
321 * Gets the {@code notAfter} date from the validity period of
322 * the certificate. See {@link #getNotBefore() getNotBefore}
323 * for relevant ASN.1 definitions.
324 *
325 * @return the end date of the validity period.
326 * @see #checkValidity
327 */
328 public abstract Date getNotAfter();
329
330 /**
331 * Gets the DER-encoded certificate information, the
332 * {@code tbsCertificate} from this certificate.
333 * This can be used to verify the signature independently.
334 *
335 * @return the DER-encoded certificate information.
336 * @exception CertificateEncodingException if an encoding error occurs.
337 */
338 public abstract byte[] getTBSCertificate()
339 throws CertificateEncodingException;
340
341 /**
342 * Gets the {@code signature} value (the raw signature bits) from
343 * the certificate.
344 * The ASN.1 definition for this is:
345 * <pre>
346 * signature BIT STRING
347 * </pre>
348 *
349 * @return the signature.
350 */
351 public abstract byte[] getSignature();
352
353 /**
354 * Gets the signature algorithm name for the certificate
355 * signature algorithm. An example is the string "SHA256withRSA".
356 * The ASN.1 definition for this is:
357 * <pre>
358 * signatureAlgorithm AlgorithmIdentifier
359 *
360 * AlgorithmIdentifier ::= SEQUENCE {
361 * algorithm OBJECT IDENTIFIER,
362 * parameters ANY DEFINED BY algorithm OPTIONAL }
363 * -- contains a value of the type
364 * -- registered for use with the
365 * -- algorithm object identifier value
366 * </pre>
367 *
368 * <p>The algorithm name is determined from the {@code algorithm}
369 * OID string.
370 *
371 * @return the signature algorithm name.
372 */
373 public abstract String getSigAlgName();
374
375 /**
376 * Gets the signature algorithm OID string from the certificate.
377 * An OID is represented by a set of nonnegative whole numbers separated
378 * by periods.
379 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
380 * with DSA signature algorithm defined in
381 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
382 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
383 * and CRL Profile</a>.
384 *
385 * <p>See {@link #getSigAlgName() getSigAlgName} for
386 * relevant ASN.1 definitions.
387 *
388 * @return the signature algorithm OID string.
389 */
390 public abstract String getSigAlgOID();
391
392 /**
393 * Gets the DER-encoded signature algorithm parameters from this
394 * certificate's signature algorithm. In most cases, the signature
395 * algorithm parameters are null; the parameters are usually
396 * supplied with the certificate's public key.
397 * If access to individual parameter values is needed then use
398 * {@link java.security.AlgorithmParameters AlgorithmParameters}
399 * and instantiate with the name returned by
400 * {@link #getSigAlgName() getSigAlgName}.
401 *
402 * <p>See {@link #getSigAlgName() getSigAlgName} for
403 * relevant ASN.1 definitions.
404 *
405 * @return the DER-encoded signature algorithm parameters, or
406 * null if no parameters are present.
407 */
408 public abstract byte[] getSigAlgParams();
409
410 /**
411 * Gets the {@code issuerUniqueID} value from the certificate.
412 * The issuer unique identifier is present in the certificate
413 * to handle the possibility of reuse of issuer names over time.
414 * RFC 5280 recommends that names not be reused and that
415 * conforming certificates not make use of unique identifiers.
416 * Applications conforming to that profile should be capable of
417 * parsing unique identifiers and making comparisons.
418 *
419 * <p>The ASN.1 definition for this is:
420 * <pre>
421 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL
422 *
423 * UniqueIdentifier ::= BIT STRING
424 * </pre>
425 *
426 * @return the issuer unique identifier or null if it is not
427 * present in the certificate.
428 */
429 public abstract boolean[] getIssuerUniqueID();
430
431 /**
432 * Gets the {@code subjectUniqueID} value from the certificate.
433 *
434 * <p>The ASN.1 definition for this is:
435 * <pre>
436 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
437 *
438 * UniqueIdentifier ::= BIT STRING
439 * </pre>
440 *
441 * @return the subject unique identifier or null if it is not
442 * present in the certificate.
443 */
444 public abstract boolean[] getSubjectUniqueID();
445
446 /**
447 * Gets a boolean array representing bits of
448 * the {@code KeyUsage} extension, (OID = 2.5.29.15).
449 * The key usage extension defines the purpose (e.g., encipherment,
450 * signature, certificate signing) of the key contained in the
451 * certificate.
452 * The ASN.1 definition for this is:
453 * <pre>
454 * KeyUsage ::= BIT STRING {
455 * digitalSignature (0),
456 * nonRepudiation (1),
457 * keyEncipherment (2),
458 * dataEncipherment (3),
459 * keyAgreement (4),
460 * keyCertSign (5),
461 * cRLSign (6),
462 * encipherOnly (7),
463 * decipherOnly (8) }
464 * </pre>
465 * RFC 5280 recommends that when used, this be marked
466 * as a critical extension.
467 *
468 * @return the KeyUsage extension of this certificate, represented as
469 * an array of booleans. The order of KeyUsage values in the array is
470 * the same as in the above ASN.1 definition. The array will contain a
471 * value for each KeyUsage defined above. If the KeyUsage list encoded
472 * in the certificate is longer than the above list, it will not be
473 * truncated. Returns null if this certificate does not
474 * contain a KeyUsage extension.
475 */
476 public abstract boolean[] getKeyUsage();
477
478 /**
479 * Gets an unmodifiable list of Strings representing the OBJECT
480 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
481 * extended key usage extension, (OID = 2.5.29.37). It indicates
482 * one or more purposes for which the certified public key may be
483 * used, in addition to or in place of the basic purposes
484 * indicated in the key usage extension field. The ASN.1
485 * definition for this is:
486 * <pre>
487 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
488 *
489 * KeyPurposeId ::= OBJECT IDENTIFIER
490 * </pre>
491 *
492 * Key purposes may be defined by any organization with a
493 * need. Object identifiers used to identify key purposes shall be
494 * assigned in accordance with IANA or ITU-T Rec. X.660 |
495 * ISO/IEC/ITU 9834-1.
496 * <p>
497 * This method was added to version 1.4 of the Java 2 Platform Standard
498 * Edition. In order to maintain backwards compatibility with existing
499 * service providers, this method is not {@code abstract}
500 * and it provides a default implementation. Subclasses
501 * should override this method with a correct implementation.
502 *
503 * @return the ExtendedKeyUsage extension of this certificate,
504 * as an unmodifiable list of object identifiers represented
505 * as Strings. Returns null if this certificate does not
506 * contain an ExtendedKeyUsage extension.
507 * @throws CertificateParsingException if the extension cannot be decoded
508 * @since 1.4
509 */
510 public List<String> getExtendedKeyUsage() throws CertificateParsingException {
511 return X509CertImpl.getExtendedKeyUsage(this);
512 }
513
514 /**
515 * Gets the certificate constraints path length from the
516 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
517 * <p>
518 * The basic constraints extension identifies whether the subject
519 * of the certificate is a Certificate Authority (CA) and
520 * how deep a certification path may exist through that CA. The
521 * {@code pathLenConstraint} field (see below) is meaningful
522 * only if {@code cA} is set to TRUE. In this case, it gives the
523 * maximum number of CA certificates that may follow this certificate in a
524 * certification path. A value of zero indicates that only an end-entity
525 * certificate may follow in the path.
526 * <p>
527 * The ASN.1 definition for this is:
528 * <pre>
529 * BasicConstraints ::= SEQUENCE {
530 * cA BOOLEAN DEFAULT FALSE,
531 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
532 * </pre>
533 *
534 * @return the value of {@code pathLenConstraint} if the
535 * BasicConstraints extension is present in the certificate and the
536 * subject of the certificate is a CA, otherwise -1.
537 * If the subject of the certificate is a CA and
538 * {@code pathLenConstraint} does not appear,
539 * {@code Integer.MAX_VALUE} is returned to indicate that there is no
540 * limit to the allowed length of the certification path.
541 */
542 public abstract int getBasicConstraints();
543
544 /**
545 * Gets an immutable collection of subject alternative names from the
546 * {@code SubjectAltName} extension, (OID = 2.5.29.17).
547 * <p>
548 * The ASN.1 definition of the {@code SubjectAltName} extension is:
549 * <pre>
550 * SubjectAltName ::= GeneralNames
551 *
552 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
553 *
554 * GeneralName ::= CHOICE {
555 * otherName [0] OtherName,
556 * rfc822Name [1] IA5String,
557 * dNSName [2] IA5String,
558 * x400Address [3] ORAddress,
559 * directoryName [4] Name,
560 * ediPartyName [5] EDIPartyName,
561 * uniformResourceIdentifier [6] IA5String,
562 * iPAddress [7] OCTET STRING,
563 * registeredID [8] OBJECT IDENTIFIER}
564 * </pre>
565 * <p>
566 * If this certificate does not contain a {@code SubjectAltName}
567 * extension, {@code null} is returned. Otherwise, a
568 * {@code Collection} is returned with an entry representing each
569 * {@code GeneralName} included in the extension. Each entry is a
570 * {@code List} whose first entry is an {@code Integer}
571 * (the name type, 0-8) and whose second entry is a {@code String}
572 * or a byte array (the name, in string or ASN.1 DER encoded form,
573 * respectively).
574 * <p>
575 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
576 * names are returned as {@code String}s,
577 * using the well-established string formats for those types (subject to
578 * the restrictions included in RFC 5280). IPv4 address names are
579 * returned using dotted quad notation. IPv6 address names are returned
580 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
581 * representing the eight 16-bit pieces of the address. OID names are
582 * returned as {@code String}s represented as a series of nonnegative
583 * integers separated by periods. And directory names (distinguished names)
584 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
585 * RFC 2253</a> string format. No standard string format is
586 * defined for otherNames, X.400 names, EDI party names, or any
587 * other type of names. They are returned as byte arrays
588 * containing the ASN.1 DER encoded form of the name.
589 * <p>
590 * Note that the {@code Collection} returned may contain more
591 * than one name of the same type. Also, note that the returned
592 * {@code Collection} is immutable and any entries containing byte
593 * arrays are cloned to protect against subsequent modifications.
594 * <p>
595 * This method was added to version 1.4 of the Java 2 Platform Standard
596 * Edition. In order to maintain backwards compatibility with existing
597 * service providers, this method is not {@code abstract}
598 * and it provides a default implementation. Subclasses
599 * should override this method with a correct implementation.
600 *
601 * @return an immutable {@code Collection} of subject alternative
602 * names (or {@code null})
603 * @throws CertificateParsingException if the extension cannot be decoded
604 * @since 1.4
605 */
606 public Collection<List<?>> getSubjectAlternativeNames()
607 throws CertificateParsingException {
608 return X509CertImpl.getSubjectAlternativeNames(this);
609 }
610
611 /**
612 * Gets an immutable collection of issuer alternative names from the
613 * {@code IssuerAltName} extension, (OID = 2.5.29.18).
614 * <p>
615 * The ASN.1 definition of the {@code IssuerAltName} extension is:
616 * <pre>
617 * IssuerAltName ::= GeneralNames
618 * </pre>
619 * The ASN.1 definition of {@code GeneralNames} is defined
620 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
621 * <p>
622 * If this certificate does not contain an {@code IssuerAltName}
623 * extension, {@code null} is returned. Otherwise, a
624 * {@code Collection} is returned with an entry representing each
625 * {@code GeneralName} included in the extension. Each entry is a
626 * {@code List} whose first entry is an {@code Integer}
627 * (the name type, 0-8) and whose second entry is a {@code String}
628 * or a byte array (the name, in string or ASN.1 DER encoded form,
629 * respectively). For more details about the formats used for each
630 * name type, see the {@code getSubjectAlternativeNames} method.
631 * <p>
632 * Note that the {@code Collection} returned may contain more
633 * than one name of the same type. Also, note that the returned
634 * {@code Collection} is immutable and any entries containing byte
635 * arrays are cloned to protect against subsequent modifications.
636 * <p>
637 * This method was added to version 1.4 of the Java 2 Platform Standard
638 * Edition. In order to maintain backwards compatibility with existing
639 * service providers, this method is not {@code abstract}
640 * and it provides a default implementation. Subclasses
641 * should override this method with a correct implementation.
642 *
643 * @return an immutable {@code Collection} of issuer alternative
644 * names (or {@code null})
645 * @throws CertificateParsingException if the extension cannot be decoded
646 * @since 1.4
647 */
648 public Collection<List<?>> getIssuerAlternativeNames()
649 throws CertificateParsingException {
650 return X509CertImpl.getIssuerAlternativeNames(this);
651 }
652
653 /**
654 * Verifies that this certificate was signed using the
655 * private key that corresponds to the specified public key.
656 * This method uses the signature verification engine
657 * supplied by the specified provider. Note that the specified
658 * Provider object does not have to be registered in the provider list.
659 *
660 * This method was added to version 1.8 of the Java Platform Standard
661 * Edition. In order to maintain backwards compatibility with existing
662 * service providers, this method is not {@code abstract}
663 * and it provides a default implementation.
664 *
665 * @param key the PublicKey used to carry out the verification.
666 * @param sigProvider the signature provider.
667 *
668 * @exception NoSuchAlgorithmException on unsupported signature
669 * algorithms.
670 * @exception InvalidKeyException on incorrect key.
671 * @exception SignatureException on signature errors.
672 * @exception CertificateException on encoding errors.
673 * @exception UnsupportedOperationException if the method is not supported
674 * @since 1.8
675 */
676 public void verify(PublicKey key, Provider sigProvider)
677 throws CertificateException, NoSuchAlgorithmException,
678 InvalidKeyException, SignatureException {
679 String sigName = getSigAlgName();
680 Signature sig = (sigProvider == null)
681 ? Signature.getInstance(sigName)
682 : Signature.getInstance(sigName, sigProvider);
683
684 try {
685 SignatureUtil.initVerifyWithParam(sig, key,
686 SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
687 } catch (ProviderException e) {
688 throw new CertificateException(e.getMessage(), e.getCause());
689 } catch (InvalidAlgorithmParameterException e) {
690 throw new CertificateException(e);
691 }
692
693 byte[] tbsCert = getTBSCertificate();
694 sig.update(tbsCert, 0, tbsCert.length);
695
696 if (sig.verify(getSignature()) == false) {
697 throw new SignatureException("Signature does not match.");
698 }
699 }
700 }
701