Package com.unboundid.util.ssl.cert
Class X509Certificate
- java.lang.Object
-
- com.unboundid.util.ssl.cert.X509Certificate
-
- All Implemented Interfaces:
java.io.Serializable
@NotMutable @ThreadSafety(level=COMPLETELY_THREADSAFE) public final class X509Certificate extends java.lang.Object implements java.io.Serializable
This class provides support for decoding an X.509 certificate as defined in RFC 5280. The certificate is encoded using the ASN.1 Distinguished Encoding Rules (DER), which is a subset of BER, and is supported by the code in thecom.unboundid.asn1
package. The ASN.1 specification is as follows:Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 } Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER Validity ::= SEQUENCE { notBefore Time, notAfter Time } Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } UniqueIdentifier ::= BIT STRING SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value -- corresponding to the extension type identified -- by extnID } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } Name ::= CHOICE { -- only one possibility for now -- rdnSequence RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY -- DEFINED BY AttributeType
- See Also:
- Serialized Form
-
-
Constructor Summary
Constructors Constructor Description X509Certificate(byte[] encodedCertificate)
Decodes the contents of the provided byte array as an X.509 certificate.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
equals(java.lang.Object o)
Indicates whether the provided object is considered equal to this X.509 certificate.static X509Certificate
generateIssuerSignedCertificate(SignatureAlgorithmIdentifier signatureAlgorithm, X509Certificate issuerCertificate, java.security.PrivateKey issuerPrivateKey, OID publicKeyAlgorithmOID, ASN1Element publicKeyAlgorithmParameters, ASN1BitString encodedPublicKey, DecodedPublicKey decodedPublicKey, DN subjectDN, long notBefore, long notAfter, X509CertificateExtension... extensions)
Generates an issuer-signed X.509 certificate with the provided information.static ObjectPair<X509Certificate,java.security.KeyPair>
generateSelfSignedCertificate(SignatureAlgorithmIdentifier signatureAlgorithm, PublicKeyAlgorithmIdentifier publicKeyAlgorithm, int keySizeBits, DN subjectDN, long notBefore, long notAfter, X509CertificateExtension... extensions)
Generates a self-signed X.509 certificate with the provided information.static X509Certificate
generateSelfSignedCertificate(SignatureAlgorithmIdentifier signatureAlgorithm, java.security.KeyPair keyPair, DN subjectDN, long notBefore, long notAfter, X509CertificateExtension... extensions)
Generates a self-signed X.509 certificate with the provided information.DecodedPublicKey
getDecodedPublicKey()
Retrieves a decoded representation of the public key, if available.ASN1BitString
getEncodedPublicKey()
Retrieves the encoded public key as a bit string.java.util.List<X509CertificateExtension>
getExtensions()
Retrieves the list of certificate extensions.DN
getIssuerDN()
Retrieves the certificate issuer DN.ASN1BitString
getIssuerUniqueID()
Retrieves the issuer unique identifier for the certificate, if any.java.util.Date
getNotAfterDate()
Retrieves the certificate validity end time as aDate
.long
getNotAfterTime()
Retrieves the certificate validity end time as the number of milliseconds since the epoch (January 1, 1970 UTC).java.util.Date
getNotBeforeDate()
Retrieves the certificate validity start time as aDate
.long
getNotBeforeTime()
Retrieves the certificate validity start time as the number of milliseconds since the epoch (January 1, 1970 UTC).java.lang.String
getPublicKeyAlgorithmName()
Retrieves the certificate public key algorithm name, if available.java.lang.String
getPublicKeyAlgorithmNameOrOID()
Retrieves the public key algorithm name if it is available, or the string representation of the public key algorithm OID if not.OID
getPublicKeyAlgorithmOID()
Retrieves the certificate public key algorithm OID.ASN1Element
getPublicKeyAlgorithmParameters()
Retrieves the encoded public key algorithm parameters, if present.java.math.BigInteger
getSerialNumber()
Retrieves the certificate serial number.byte[]
getSHA1Fingerprint()
Retrieves the bytes that comprise a SHA-1 fingerprint of this certificate.byte[]
getSHA256Fingerprint()
Retrieves the bytes that comprise a 256-bit SHA-2 fingerprint of this certificate.java.lang.String
getSignatureAlgorithmName()
Retrieves the certificate signature algorithm name, if available.java.lang.String
getSignatureAlgorithmNameOrOID()
Retrieves the signature algorithm name if it is available, or the string representation of the signature algorithm OID if not.OID
getSignatureAlgorithmOID()
Retrieves the certificate signature algorithm OID.ASN1Element
getSignatureAlgorithmParameters()
Retrieves the encoded signature algorithm parameters, if present.ASN1BitString
getSignatureValue()
Retrieves the signature value for the certificate.DN
getSubjectDN()
Retrieves the certificate subject DN.ASN1BitString
getSubjectUniqueID()
Retrieves the subject unique identifier for the certificate, if any.X509CertificateVersion
getVersion()
Retrieves the certificate version.byte[]
getX509CertificateBytes()
Retrieves the bytes that comprise the encoded representation of this X.509 certificate.int
hashCode()
Retrieves a hash code for this certificate.boolean
isIssuerFor(X509Certificate c)
Indicates whether this certificate is the issuer for the provided certificate.boolean
isIssuerFor(X509Certificate c, java.lang.StringBuilder nonMatchReason)
Indicates whether this certificate is the issuer for the provided certificate.boolean
isSelfSigned()
Indicates whether this certificate is self-signed.boolean
isWithinValidityWindow()
Indicates whether the current time is within the certificate's validity window.boolean
isWithinValidityWindow(long time)
Indicates whether the specified time is within the certificate's validity window.boolean
isWithinValidityWindow(java.util.Date date)
Indicates whether the providedDate
represents a time within the certificate's validity window.java.security.cert.Certificate
toCertificate()
Converts this X.509 certificate object to a JavaCertificate
object.java.util.List<java.lang.String>
toPEM()
Retrieves a list of the lines that comprise a PEM representation of this X.509 certificate.java.lang.String
toPEMString()
Retrieves a multi-line string containing a PEM representation of this X.509 certificate.java.lang.String
toString()
Retrieves a string representation of the decoded X.509 certificate.void
toString(java.lang.StringBuilder buffer)
Appends a string representation of the decoded X.509 certificate to the provided buffer.void
verifySignature(X509Certificate issuerCertificate)
Verifies the signature for this certificate.
-
-
-
Constructor Detail
-
X509Certificate
public X509Certificate(@NotNull byte[] encodedCertificate) throws CertException
Decodes the contents of the provided byte array as an X.509 certificate.- Parameters:
encodedCertificate
- The byte array containing the encoded X.509 certificate. This must not benull
.- Throws:
CertException
- If the contents of the provided byte array could not be decoded as a valid X.509 certificate.
-
-
Method Detail
-
generateSelfSignedCertificate
@NotNull public static ObjectPair<X509Certificate,java.security.KeyPair> generateSelfSignedCertificate(@NotNull SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull PublicKeyAlgorithmIdentifier publicKeyAlgorithm, int keySizeBits, @NotNull DN subjectDN, long notBefore, long notAfter, @Nullable X509CertificateExtension... extensions) throws CertException
Generates a self-signed X.509 certificate with the provided information.- Parameters:
signatureAlgorithm
- The algorithm to use to generate the signature. This must not benull
.publicKeyAlgorithm
- The algorithm to use to generate the key pair. This must not benull
.keySizeBits
- The size of the key to generate, in bits.subjectDN
- The subject DN for the certificate. This must not benull
.notBefore
- The validity start time for the certificate.notAfter
- The validity end time for the certificate.extensions
- The set of extensions to include in the certificate. This may benull
or empty if the certificate should not include any custom extensions. Note that the generated certificate will automatically include aSubjectKeyIdentifierExtension
, so that should not be provided.- Returns:
- An
ObjectPair
that contains both the self-signed certificate and its corresponding key pair. - Throws:
CertException
- If a problem is encountered while creating the certificate.
-
generateSelfSignedCertificate
@NotNull public static X509Certificate generateSelfSignedCertificate(@NotNull SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull java.security.KeyPair keyPair, @NotNull DN subjectDN, long notBefore, long notAfter, @Nullable X509CertificateExtension... extensions) throws CertException
Generates a self-signed X.509 certificate with the provided information.- Parameters:
signatureAlgorithm
- The algorithm to use to generate the signature. This must not benull
.keyPair
- The key pair for the certificate. This must not benull
.subjectDN
- The subject DN for the certificate. This must not benull
.notBefore
- The validity start time for the certificate.notAfter
- The validity end time for the certificate.extensions
- The set of extensions to include in the certificate. This may benull
or empty if the certificate should not include any custom extensions. Note that the generated certificate will automatically include aSubjectKeyIdentifierExtension
, so that should not be provided.- Returns:
- An
ObjectPair
that contains both the self-signed certificate and its corresponding key pair. - Throws:
CertException
- If a problem is encountered while creating the certificate.
-
generateIssuerSignedCertificate
@NotNull public static X509Certificate generateIssuerSignedCertificate(@NotNull SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull X509Certificate issuerCertificate, @NotNull java.security.PrivateKey issuerPrivateKey, @NotNull OID publicKeyAlgorithmOID, @Nullable ASN1Element publicKeyAlgorithmParameters, @NotNull ASN1BitString encodedPublicKey, @Nullable DecodedPublicKey decodedPublicKey, @NotNull DN subjectDN, long notBefore, long notAfter, @NotNull X509CertificateExtension... extensions) throws CertException
Generates an issuer-signed X.509 certificate with the provided information.- Parameters:
signatureAlgorithm
- The algorithm to use to generate the signature. This must not benull
.issuerCertificate
- The certificate for the issuer. This must not benull
.issuerPrivateKey
- The private key for the issuer. This must not benull
.publicKeyAlgorithmOID
- The OID for the certificate's public key algorithm. This must not benull
.publicKeyAlgorithmParameters
- The encoded public key algorithm parameters for the certificate. This may benull
if there are no parameters.encodedPublicKey
- The encoded public key for the certificate. This must not benull
.decodedPublicKey
- The decoded public key for the certificate. This may benull
if it is not available.subjectDN
- The subject DN for the certificate. This must not benull
.notBefore
- The validity start time for the certificate.notAfter
- The validity end time for the certificate.extensions
- The set of extensions to include in the certificate. This may benull
or empty if the certificate should not include any custom extensions. Note that the generated certificate will automatically include aSubjectKeyIdentifierExtension
, so that should not be provided. In addition, if the issuer certificate includes its ownSubjectKeyIdentifierExtension
, then its value will be used to generate anAuthorityKeyIdentifierExtension
.- Returns:
- The issuer-signed certificate.
- Throws:
CertException
- If a problem is encountered while creating the certificate.
-
getX509CertificateBytes
@NotNull public byte[] getX509CertificateBytes()
Retrieves the bytes that comprise the encoded representation of this X.509 certificate.- Returns:
- The bytes that comprise the encoded representation of this X.509 certificate.
-
getVersion
@NotNull public X509CertificateVersion getVersion()
Retrieves the certificate version.- Returns:
- The certificate version.
-
getSerialNumber
@NotNull public java.math.BigInteger getSerialNumber()
Retrieves the certificate serial number.- Returns:
- The certificate serial number.
-
getSignatureAlgorithmOID
@NotNull public OID getSignatureAlgorithmOID()
Retrieves the certificate signature algorithm OID.- Returns:
- The certificate signature algorithm OID.
-
getSignatureAlgorithmName
@Nullable public java.lang.String getSignatureAlgorithmName()
Retrieves the certificate signature algorithm name, if available.- Returns:
- The certificate signature algorithm name, or
null
if the signature algorithm OID does not correspond to any known algorithm name.
-
getSignatureAlgorithmNameOrOID
@NotNull public java.lang.String getSignatureAlgorithmNameOrOID()
Retrieves the signature algorithm name if it is available, or the string representation of the signature algorithm OID if not.- Returns:
- The signature algorithm name or OID.
-
getSignatureAlgorithmParameters
@Nullable public ASN1Element getSignatureAlgorithmParameters()
Retrieves the encoded signature algorithm parameters, if present.- Returns:
- The encoded signature algorithm parameters, or
null
if there are no signature algorithm parameters.
-
getIssuerDN
@NotNull public DN getIssuerDN()
Retrieves the certificate issuer DN.- Returns:
- The certificate issuer DN.
-
getNotBeforeTime
public long getNotBeforeTime()
Retrieves the certificate validity start time as the number of milliseconds since the epoch (January 1, 1970 UTC).- Returns:
- The certificate validity start time as the number of milliseconds since the epoch.
-
getNotBeforeDate
@NotNull public java.util.Date getNotBeforeDate()
Retrieves the certificate validity start time as aDate
.- Returns:
- The certificate validity start time as a
Date
.
-
getNotAfterTime
public long getNotAfterTime()
Retrieves the certificate validity end time as the number of milliseconds since the epoch (January 1, 1970 UTC).- Returns:
- The certificate validity end time as the number of milliseconds since the epoch.
-
getNotAfterDate
@NotNull public java.util.Date getNotAfterDate()
Retrieves the certificate validity end time as aDate
.- Returns:
- The certificate validity end time as a
Date
.
-
isWithinValidityWindow
public boolean isWithinValidityWindow()
Indicates whether the current time is within the certificate's validity window.- Returns:
true
if the current time is within the certificate's validity window, orfalse
if not.
-
isWithinValidityWindow
public boolean isWithinValidityWindow(@NotNull java.util.Date date)
Indicates whether the providedDate
represents a time within the certificate's validity window.- Parameters:
date
- TheDate
for which to make the determination. It must not benull
.- Returns:
true
if the providedDate
is within the certificate's validity window, orfalse
if not.
-
isWithinValidityWindow
public boolean isWithinValidityWindow(long time)
Indicates whether the specified time is within the certificate's validity window.- Parameters:
time
- The time to for which to make the determination.- Returns:
true
if the specified time is within the certificate's validity window, orfalse
if not.
-
getSubjectDN
@NotNull public DN getSubjectDN()
Retrieves the certificate subject DN.- Returns:
- The certificate subject DN.
-
getPublicKeyAlgorithmOID
@NotNull public OID getPublicKeyAlgorithmOID()
Retrieves the certificate public key algorithm OID.- Returns:
- The certificate public key algorithm OID.
-
getPublicKeyAlgorithmName
@Nullable public java.lang.String getPublicKeyAlgorithmName()
Retrieves the certificate public key algorithm name, if available.- Returns:
- The certificate public key algorithm name, or
null
if the public key algorithm OID does not correspond to any known algorithm name.
-
getPublicKeyAlgorithmNameOrOID
@NotNull public java.lang.String getPublicKeyAlgorithmNameOrOID()
Retrieves the public key algorithm name if it is available, or the string representation of the public key algorithm OID if not.- Returns:
- The signature algorithm name or OID.
-
getPublicKeyAlgorithmParameters
@Nullable public ASN1Element getPublicKeyAlgorithmParameters()
Retrieves the encoded public key algorithm parameters, if present.- Returns:
- The encoded public key algorithm parameters, or
null
if there are no public key algorithm parameters.
-
getEncodedPublicKey
@NotNull public ASN1BitString getEncodedPublicKey()
Retrieves the encoded public key as a bit string.- Returns:
- The encoded public key as a bit string.
-
getDecodedPublicKey
@Nullable public DecodedPublicKey getDecodedPublicKey()
Retrieves a decoded representation of the public key, if available.- Returns:
- A decoded representation of the public key, or
null
if the public key could not be decoded.
-
getIssuerUniqueID
@Nullable public ASN1BitString getIssuerUniqueID()
Retrieves the issuer unique identifier for the certificate, if any.- Returns:
- The issuer unique identifier for the certificate, or
null
if there is none.
-
getSubjectUniqueID
@Nullable public ASN1BitString getSubjectUniqueID()
Retrieves the subject unique identifier for the certificate, if any.- Returns:
- The subject unique identifier for the certificate, or
null
if there is none.
-
getExtensions
@NotNull public java.util.List<X509CertificateExtension> getExtensions()
Retrieves the list of certificate extensions.- Returns:
- The list of certificate extensions.
-
getSignatureValue
@NotNull public ASN1BitString getSignatureValue()
Retrieves the signature value for the certificate.- Returns:
- The signature value for the certificate.
-
verifySignature
public void verifySignature(@Nullable X509Certificate issuerCertificate) throws CertException
Verifies the signature for this certificate.- Parameters:
issuerCertificate
- The issuer certificate for this certificate. It may benull
if this is a self-signed certificate. It must not benull
if it is not a self-signed certificate.- Throws:
CertException
- If the certificate signature could not be verified.
-
getSHA1Fingerprint
@NotNull public byte[] getSHA1Fingerprint() throws CertException
Retrieves the bytes that comprise a SHA-1 fingerprint of this certificate.- Returns:
- The bytes that comprise a SHA-1 fingerprint of this certificate.
- Throws:
CertException
- If a problem is encountered while computing the fingerprint.
-
getSHA256Fingerprint
@NotNull public byte[] getSHA256Fingerprint() throws CertException
Retrieves the bytes that comprise a 256-bit SHA-2 fingerprint of this certificate.- Returns:
- The bytes that comprise a 256-bit SHA-2 fingerprint of this certificate.
- Throws:
CertException
- If a problem is encountered while computing the fingerprint.
-
isSelfSigned
public boolean isSelfSigned()
Indicates whether this certificate is self-signed. The following criteria will be used to make the determination:- If the certificate has both subject key identifier and authority key identifier extensions, then it will be considered self-signed if and only if the subject key identifier matches the authority key identifier.
- If the certificate does not have both a subject key identifier and an authority key identifier, then it will be considered self-signed if and only if its subject DN matches its issuer DN.
- Returns:
true
if this certificate is self-signed, orfalse
if it is not.
-
isIssuerFor
public boolean isIssuerFor(@NotNull X509Certificate c)
Indicates whether this certificate is the issuer for the provided certificate. In order for this to be true, the following conditions must be met:- The subject DN of this certificate must match the issuer DN for the provided certificate.
- If the provided certificate has an authority key identifier extension, then this certificate must have a subject key identifier extension with a matching identifier value.
- Parameters:
c
- The certificate for which to make the determination. This must not benull
.- Returns:
true
if this certificate is considered the issuer for the provided certificate, or false if not.
-
isIssuerFor
public boolean isIssuerFor(@NotNull X509Certificate c, @Nullable java.lang.StringBuilder nonMatchReason)
Indicates whether this certificate is the issuer for the provided certificate. In order for this to be true, the following conditions must be met:- The subject DN of this certificate must match the issuer DN for the provided certificate.
- If the provided certificate has an authority key identifier extension, then this certificate must have a subject key identifier extension with a matching identifier value.
- Parameters:
c
- The certificate for which to make the determination. This must not benull
.nonMatchReason
- An optional buffer that may be updated with the reason that this certificate is not considered the issuer for the provided certificate. This may benull
if the caller does not require a reason.- Returns:
true
if this certificate is considered the issuer for the provided certificate, or false if not.
-
toCertificate
@NotNull public java.security.cert.Certificate toCertificate() throws java.security.cert.CertificateException
Converts this X.509 certificate object to a JavaCertificate
object.- Returns:
- The Java
Certificate
object that corresponds to this X.509 certificate. - Throws:
java.security.cert.CertificateException
- If a problem is encountered while performing the conversion.
-
hashCode
public int hashCode()
Retrieves a hash code for this certificate.- Overrides:
hashCode
in classjava.lang.Object
- Returns:
- A hash code for this certificate.
-
equals
public boolean equals(@Nullable java.lang.Object o)
Indicates whether the provided object is considered equal to this X.509 certificate.- Overrides:
equals
in classjava.lang.Object
- Parameters:
o
- The object for which to make the determination.- Returns:
true
if the provided object is considered equal to this X.509 certificate, orfalse
if not.
-
toString
@NotNull public java.lang.String toString()
Retrieves a string representation of the decoded X.509 certificate.- Overrides:
toString
in classjava.lang.Object
- Returns:
- A string representation of the decoded X.509 certificate.
-
toString
public void toString(@NotNull java.lang.StringBuilder buffer)
Appends a string representation of the decoded X.509 certificate to the provided buffer.- Parameters:
buffer
- The buffer to which the information should be appended.
-
toPEM
@NotNull public java.util.List<java.lang.String> toPEM()
Retrieves a list of the lines that comprise a PEM representation of this X.509 certificate.- Returns:
- A list of the lines that comprise a PEM representation of this X.509 certificate.
-
toPEMString
@NotNull public java.lang.String toPEMString()
Retrieves a multi-line string containing a PEM representation of this X.509 certificate.- Returns:
- A multi-line string containing a PEM representation of this X.509 certificate.
-
-