home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Book Home Java Enterprise in a Nutshell Search this book

Chapter 19. The java.security.cert Package

The java.security.cert package contains classes for working with identity certificates and certificate revocation lists (CRLs). It defines generic Certificate and CRL classes and X509Certificate and X509CRL classes that provide full support for standard X.509 certificates and CRLs. The CertificateFactory class serves as a certificate parser, providing the ability to convert a stream of bytes into a Certificate or CRL object. This package replaces the deprecated java.security.Certificate interface. Figure 19-1 shows the class hierarchy of this package.

figure

Figure 19-1. The java.security.cert package

CertificateJava 1.2
java.security.certserializable

This abstract class represents an identity certificate. A certificate is an object that contains the name of an entity and a public key for that entity. Certificates are issued by, and bear the digital signature of,x a (presumably trusted) third party, typically a certificate authority (CA). By issuing and signing the certificate, the CA is certifying that, based on their research, the entity named on the certificate really is who they say they are and that the public key in the certificate really does belong to that entity.

Use a CertificateFactory to parse a stream of bytes into a Certificate object; getEncoded() reverses this process. Use verify() to verify the digital signature of the entity that issued the certificate. If the signature cannot be verified, the certificate should not be trusted. Call getPublicKey() to obtain the java.security.PublicKey of the subject of the certificate. Note that this class does not define a method for obtaining the Principal that is associated with the PublicKey. That functionality is dependent on the type of the certificate. See X509Certificate.getSubjectDN(), for example.

Do not confuse this class with the java.security.Certificate interface that was defined in Java 1.1 and has been deprecated in Java 1.2.

public abstract class Certificate implements Serializable {
// Protected Constructors
protected Certificate (String type);
// Inner Classes
1.3;
// Public Instance Methods
public abstract byte[ ] getEncoded () throws CertificateEncodingException;
public abstract java.security.PublicKey getPublicKey ();
public final String getType ();
public abstract void verify (java.security.PublicKey key) throws CertificateExceptionjava.security.NoSuchAlgorithmExceptionjava.security.InvalidKeyExceptionjava.security.NoSuchProviderExceptionjava.security.SignatureException;
public abstract void verify (java.security.PublicKey key, String sigProvider) throws CertificateExceptionjava.security.NoSuchAlgorithmExceptionjava.security.InvalidKeyExceptionjava.security.NoSuchProviderExceptionjava.security.SignatureException;
// Public Methods Overriding Object
public boolean equals (Object other);
public int hashCode ();
public abstract String toString ();
// Protected Instance Methods
1.3protected Object writeReplace () throws java.io.ObjectStreamException;
}

Hierarchy: Object-->java.security.cert.Certificate(Serializable)

Subclasses: X509Certificate

Passed To: java.security.CodeSource.CodeSource(), java.security.KeyStore.{getCertificateAlias(), setCertificateEntry(), setKeyEntry()}, java.security.KeyStoreSpi.{engineGetCertificateAlias(), engineSetCertificateEntry(), engineSetKeyEntry()}, java.security.Signature.initVerify(), java.security.UnresolvedPermission.UnresolvedPermission(), CRL.isRevoked()

Returned By: java.net.JarURLConnection.getCertificates(), java.security.CodeSource.getCertificates(), java.security.KeyStore.{getCertificate(), getCertificateChain()}, java.security.KeyStoreSpi.{engineGetCertificate(), engineGetCertificateChain()}, CertificateFactory.generateCertificate(), CertificateFactorySpi.engineGenerateCertificate(), java.util.jar.JarEntry.getCertificates()

Certificate.CertificateRepJava 1.3 Beta
java.security.certserializable

This protected inner class provides an alternate representation of a certificate that can be used for serialization purposes by the writeReplace() method of some Certificate implementations. Applications do not typically need this class.

protected static class Certificate.CertificateRep implements Serializable {
// Protected Constructors
protected CertificateRep (String type, byte[ ] data);
// Protected Instance Methods
protected Object readResolve () throws java.io.ObjectStreamException;
}
CertificateEncodingExceptionJava 1.2
java.security.certserializable checked

Signals an error while attempting to encode a certificate.

public class CertificateEncodingException extends CertificateException {
// Public Constructors
public CertificateEncodingException ();
public CertificateEncodingException (String message);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CertificateException-->CertificateEncodingException

Thrown By: java.security.cert.Certificate.getEncoded(), X509Certificate.getTBSCertificate()

CertificateExceptionJava 1.2
java.security.certserializable checked

This class is the superclass of several more specific exception types that may be thrown when working with certificates.

public class CertificateException extends java.security.GeneralSecurityException {
// Public Constructors
public CertificateException ();
public CertificateException (String msg);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CertificateException

Subclasses: CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException

Thrown By: java.security.KeyStore.{load(), store()}, java.security.KeyStoreSpi.{engineLoad(), engineStore()}, java.security.cert.Certificate.verify(), CertificateFactory.{generateCertificate(), generateCertificates(), getInstance()}, CertificateFactorySpi.{engineGenerateCertificate(), engineGenerateCertificates()}

CertificateExpiredExceptionJava 1.2
java.security.certserializable checked

Signals that a certificate has expired or will have expired by a specified date.

public class CertificateExpiredException extends CertificateException {
// Public Constructors
public CertificateExpiredException ();
public CertificateExpiredException (String message);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CertificateException-->CertificateExpiredException

Thrown By: X509Certificate.checkValidity()

CertificateFactoryJava 1.2
java.security.cert

This class defines methods for parsing CRLs from byte streams. Obtain a CertificateFactory by calling one of the static getInstance() factory methods and specifying the type of certificate or CRL to be parsed, and, optionally, the desired service provider to perform the parsing. The default "SUN" provider defines only a single "X.509" certificate type. Once you have obtained a CertificateFactory for the desired type of certificate, call generateCertificate() or generateCRL() to parse a single certificate or CRL from a stream. Or call generateCertificates() or generateCRLs() to parse a Collection of certificates or CRLs from the stream. These CertificateFactory methods read to the end of the specified stream. If the stream supports mark() and reset(), however, the CertificateFactory resets the stream to the position after the end of the last certificate or CRL read.

If you specified a certificate type of "X.509", the Certificate and CRL objects returned by a CertificateFactory can be cast safely to X509Certificate and X509CRL. The X.509 certificate factory can parse certificates encoded in binary or printable hexadecimal form. If the certificate is in hexadecimal form, it must begin with the string "-----BEGIN CERTIFICATE-----" and end with the string "-----END CERTIFICATE-----".

public class CertificateFactory {
// Protected Constructors
protected CertificateFactory (CertificateFactorySpi certFacSpi, java.security.Provider provider, String type);
// Public Class Methods
public static final CertificateFactory getInstance (String type) throws CertificateException;
public static final CertificateFactory getInstance (String type, String provider) throws CertificateExceptionjava.security.NoSuchProviderException;
// Public Instance Methods
public final java.security.cert.Certificate generateCertificate (java.io.InputStream inStream) throws CertificateException;
public final java.util.Collection generateCertificates (java.io.InputStream inStream) throws CertificateException;
public final CRL generateCRL (java.io.InputStream inStream) throws CRLException;
public final java.util.Collection generateCRLs (java.io.InputStream inStream) throws CRLException;
public final java.security.Provider getProvider ();
public final String getType ();
}

Returned By: CertificateFactory.getInstance()

CertificateFactorySpiJava 1.2
java.security.cert

This abstract class defines the service provider interface, or SPI, for the CertificateFactory class. A security provider must implement this class for each type of certificate it wishes to support. Applications never need to use or subclass this class.

public abstract class CertificateFactorySpi {
// Public Constructors
public CertificateFactorySpi ();
// Public Instance Methods
public abstract java.security.cert.Certificate engineGenerateCertificate (java.io.InputStream inStream) throws CertificateException;
public abstract java.util.Collection engineGenerateCertificates (java.io.InputStream inStream) throws CertificateException;
public abstract CRL engineGenerateCRL (java.io.InputStream inStream) throws CRLException;
public abstract java.util.Collection engineGenerateCRLs (java.io.InputStream inStream) throws CRLException;
}

Passed To: CertificateFactory.CertificateFactory()

CertificateNotYetValidExceptionJava 1.2
java.security.certserializable checked

Signals that a certificate is not yet valid or will not yet be valid on a specified date.

public class CertificateNotYetValidException extends CertificateException {
// Public Constructors
public CertificateNotYetValidException ();
public CertificateNotYetValidException (String message);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CertificateException-->CertificateNotYetValidException

Thrown By: X509Certificate.checkValidity()

CertificateParsingExceptionJava 1.2
java.security.certserializable checked

Signals an error or other problem while parsing a certificate.

public class CertificateParsingException extends CertificateException {
// Public Constructors
public CertificateParsingException ();
public CertificateParsingException (String message);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CertificateException-->CertificateParsingException

CRLJava 1.2
java.security.cert

This abstract class represents a certificaterevocation list (CRL). A CRL is an object issued by a certificate authority (or other certificate signer) that lists certificates that have been revoked, meaning that they are now invalid and should be rejected. Use a CertificateFactory to parse a CRL from a byte stream. Use the isRevoked() method to test whether a specified Certificate is listed on the CRL. Note that type-specific CRL subclasses, such as X509CRL, may provide access to substantially more information about the revocation list.

public abstract class CRL {
// Protected Constructors
protected CRL (String type);
// Public Instance Methods
public final String getType ();
public abstract boolean isRevoked (java.security.cert.Certificate cert);
// Public Methods Overriding Object
public abstract String toString ();
}

Subclasses: X509CRL

Returned By: CertificateFactory.generateCRL(), CertificateFactorySpi.engineGenerateCRL()

CRLExceptionJava 1.2
java.security.certserializable checked

Signals an error or other problem while working with a CRL.

public class CRLException extends java.security.GeneralSecurityException {
// Public Constructors
public CRLException ();
public CRLException (String message);
}

Hierarchy: Object-->Throwable(Serializable)-->Exception-->java.security.GeneralSecurityException-->CRLException

Thrown By: CertificateFactory.{generateCRL(), generateCRLs()}, CertificateFactorySpi.{engineGenerateCRL(), engineGenerateCRLs()}, X509CRL.{getEncoded(), getTBSCertList(), verify()}, X509CRLEntry.getEncoded()

X509CertificateJava 1.2
java.security.certserializable

This class represents an X.509 certificate. Its various methods provide complete access to the contents of the certificate. For example, verify() checks the digital signature of the certificate to verify that it is not a forged certificate, while checkValidity() checks whether the certificate has expired or has not yet gone into effect. getSubjectDN() returns the Principal to whom this certificate applies, and getPublicKey() returns the PublicKey for that Principal. Note that verify() and getPublicKey() are inherited from Certificate.

Obtain an X509Certificate object by creating a CertificateFactory for certificate type "X.509" and then using generateCertificate() to parse an X.509 certificate from a stream of bytes. Finally, cast the Certificate returned by this method to an X509Certificate.

public abstract class X509Certificate extends java.security.cert.Certificate implements X509Extension {
// Protected Constructors
protected X509Certificate ();
// Property Accessor Methods (by property name)
public abstract int getBasicConstraints ();
public abstract java.util.Set getCriticalExtensionOIDs (); Implements:X509Extension
public abstract java.security.Principal getIssuerDN ();
public abstract boolean[ ] getIssuerUniqueID ();
public abstract boolean[ ] getKeyUsage ();
public abstract java.util.Set getNonCriticalExtensionOIDs (); Implements:X509Extension
public abstract java.util.Date getNotAfter ();
public abstract java.util.Date getNotBefore ();
public abstract java.math.BigInteger getSerialNumber ();
public abstract String getSigAlgName ();
public abstract String getSigAlgOID ();
public abstract byte[ ] getSigAlgParams ();
public abstract byte[ ] getSignature ();
public abstract java.security.Principal getSubjectDN ();
public abstract boolean[ ] getSubjectUniqueID ();
public abstract byte[ ] getTBSCertificate () throws CertificateEncodingException;
public abstract int getVersion ();
// Public Instance Methods
public abstract void checkValidity () throws CertificateExpiredExceptionCertificateNotYetValidException;
public abstract void checkValidity (java.util.Date date) throws CertificateExpiredExceptionCertificateNotYetValidException;
// Methods Implementing X509Extension
public abstract java.util.Set getCriticalExtensionOIDs ();
public abstract byte[ ] getExtensionValue (String oid);
public abstract java.util.Set getNonCriticalExtensionOIDs ();
public abstract boolean hasUnsupportedCriticalExtension ();
}

Hierarchy: Object-->java.security.cert.Certificate(Serializable)-->X509Certificate(X509Extension)

X509CRLJava 1.2
java.security.cert

This class represents an X.509 CRL, which consists primarily of a set of X509CRLEntry objects. The various methods of this class provide access to all the details of the CRL. Use verify() to check the digital signature of the CRL to ensure that it does indeed originate from the the source it specifies. Use the inherited isRevoked() method to determine whether a given certificate has been revoked. If you are curious about the revocation date for a revoked certificate, obtain the X509CRLEntry for that certificate by calling getRevokedCertificate(). Call getThisUpdate() to obtain the date this CRL was issued. Use getNextUpdate() to find if the CRL has been superseded by a newer version.

Obtain an X509CRL object by creating a CertificateFactory for certificate type "X.509" and then using the generateCRL() to parse an X.509 CRL from a stream of bytes. Finally, cast the CRL returned by this method to an X509CRL.

public abstract class X509CRL extends CRL implements X509Extension {
// Protected Constructors
protected X509CRL ();
// Property Accessor Methods (by property name)
public abstract java.util.Set getCriticalExtensionOIDs (); Implements:X509Extension
public abstract byte[ ] getEncoded () throws CRLException;
public abstract java.security.Principal getIssuerDN ();
public abstract java.util.Date getNextUpdate ();
public abstract java.util.Set getNonCriticalExtensionOIDs (); Implements:X509Extension
public abstract java.util.Set getRevokedCertificates ();
public abstract String getSigAlgName ();
public abstract String getSigAlgOID ();
public abstract byte[ ] getSigAlgParams ();
public abstract byte[ ] getSignature ();
public abstract byte[ ] getTBSCertList () throws CRLException;
public abstract java.util.Date getThisUpdate ();
public abstract int getVersion ();
// Public Instance Methods
public abstract X509CRLEntry getRevokedCertificate (java.math.BigInteger serialNumber);
public abstract void verify (java.security.PublicKey key) throws CRLExceptionjava.security.NoSuchAlgorithmExceptionjava.security.InvalidKeyExceptionjava.security.NoSuchProviderExceptionjava.security.SignatureException;
public abstract void verify (java.security.PublicKey key, String sigProvider) throws CRLExceptionjava.security.NoSuchAlgorithmExceptionjava.security.InvalidKeyExceptionjava.security.NoSuchProviderExceptionjava.security.SignatureException;
// Methods Implementing X509Extension
public abstract java.util.Set getCriticalExtensionOIDs ();
public abstract byte[ ] getExtensionValue (String oid);
public abstract java.util.Set getNonCriticalExtensionOIDs ();
public abstract boolean hasUnsupportedCriticalExtension ();
// Public Methods Overriding Object
public boolean equals (Object other);
public int hashCode ();
}

Hierarchy: Object-->CRL-->X509CRL(X509Extension)

X509CRLEntryJava 1.2
java.security.cert

This class represents a single entry in an X509CRL. It contains the serial number and revocation date for a revoked certificate.

public abstract class X509CRLEntry implements X509Extension {
// Public Constructors
public X509CRLEntry ();
// Property Accessor Methods (by property name)
public abstract java.util.Set getCriticalExtensionOIDs (); Implements:X509Extension
public abstract byte[ ] getEncoded () throws CRLException;
public abstract java.util.Set getNonCriticalExtensionOIDs (); Implements:X509Extension
public abstract java.util.Date getRevocationDate ();
public abstract java.math.BigInteger getSerialNumber ();
// Public Instance Methods
public abstract boolean hasExtensions ();
// Methods Implementing X509Extension
public abstract java.util.Set getCriticalExtensionOIDs ();
public abstract byte[ ] getExtensionValue (String oid);
public abstract java.util.Set getNonCriticalExtensionOIDs ();
public abstract boolean hasUnsupportedCriticalExtension ();
// Public Methods Overriding Object
public boolean equals (Object other);
public int hashCode ();
public abstract String toString ();
}

Hierarchy: Object-->X509CRLEntry(X509Extension)

Returned By: X509CRL.getRevokedCertificate()

X509ExtensionJava 1.2
java.security.cert

This interface defines methods for handling a set of extensions to X.509 certificates and CRLs. Each extension has a name, or OID (object identifier), that identifies the type of the extension. An extension may be marked critical or noncritical. Noncritical extensions whose OIDs are not recognized can safely be ignored. However, if a critical exception is not recognized, the Certificate or CRL should be rejected. Each extension in the set has a byte array of data as its value. The interpretation of these bytes depends on the OID of the extension, of course.

public interface X509Extension {
// Public Instance Methods
public abstract java.util.Set getCriticalExtensionOIDs ();
public abstract byte[ ] getExtensionValue (String oid);
public abstract java.util.Set getNonCriticalExtensionOIDs ();
public abstract boolean hasUnsupportedCriticalExtension ();
}

Implementations: X509Certificate, X509CRL, X509CRLEntry



Library Navigation Links

Copyright © 2001 O'Reilly & Associates. All rights reserved.