public class X509CertSelector extends Object implements CertSelector, Cloneable
CertSelector
for X.509 certificates,
which allows a number of criteria to be set when accepting certificates,
from validity dates, to issuer and subject distinguished names, to some
of the various X.509 extensions.
Use of this class requires extensive knowledge of the Internet Engineering Task Force's Public Key Infrastructure (X.509). The primary document describing this standard is RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
Note that this class is not thread-safe. If multiple threads will use or modify this class then they need to synchronize on the object.
Constructor and Description |
---|
X509CertSelector()
Creates a new X.509 certificate selector.
|
Modifier and Type | Method and Description |
---|---|
void |
addPathToName(int id,
byte[] name)
Add a name to match in the NameConstraints extension.
|
void |
addPathToName(int id,
String name)
Add a name to match in the NameConstraints extension.
|
void |
addSubjectAlternativeName(int id,
byte[] name)
Add a name, as DER-encoded bytes, to the subject alternative names
criterion.
|
void |
addSubjectAlternativeName(int id,
String name)
Add a name to the subject alternative names criterion.
|
Object |
clone()
This method may be called to create a new copy of the
Object.
|
byte[] |
getAuthorityKeyIdentifier()
Returns the authority key identifier criterion, or
null if
this value was not set. |
int |
getBasicConstraints()
Returns the basic constraints criterion, or -1 if this value is not set.
|
X509Certificate |
getCertificate()
Returns the certificate criterion, or
null if this value
was not set. |
Date |
getCertificateValid()
Returns the date at which certificates must be valid, or
null
if this criterion was not set. |
Set<String> |
getExtendedKeyUsage()
Returns the set of extended key purpose IDs, as an unmodifiable set
of OID strings.
|
byte[] |
getIssuerAsBytes()
Returns the issuer criterion as a sequence of DER bytes, or
null if this value was not set. |
String |
getIssuerAsString()
Returns the issuer criterion as a string, or
null if this
value was not set. |
boolean[] |
getKeyUsage()
Returns the public key usage criterion, or
null if this
value is not set. |
boolean |
getMatchAllSubjectAltNames()
Returns whether or not all specified alternative names must match.
|
byte[] |
getNameConstraints()
Returns the name constraints criterion, or
null if this
value is not set. |
Collection<List<?>> |
getPathToNames() |
Set<String> |
getPolicy()
Returns the certificate policy extension that will be matched by this
selector, or null if the certificate policy will not be matched.
|
Date |
getPrivateKeyValid()
This method, and its related X.509 certificate extension — the
private key usage period — is not supported under the Internet
PKI for X.509 certificates (PKIX), described in RFC 3280.
|
BigInteger |
getSerialNumber()
Returns the serial number criterion, or
null if this
value was not set. |
Collection<List<?>> |
getSubjectAlternativeNames()
Get the subject alternative names criterion.
|
byte[] |
getSubjectAsBytes()
Returns the subject criterion as a sequence of DER bytes, or
null if this value is not set. |
String |
getSubjectAsString()
Returns the subject criterion as a string, of
null if
this value was not set. |
byte[] |
getSubjectKeyIdentifier()
Returns the subject key identifier criterion, or
null if
this value was not set. |
PublicKey |
getSubjectPublicKey()
Returns the subject public key criterion, or
null if this
value is not set. |
String |
getSubjectPublicKeyAlgID()
Returns the public key algorithm ID that matching certificates must have,
or
null if this criterion was not set. |
boolean |
match(Certificate certificate)
Match a certificate.
|
void |
setAuthorityKeyIdentifier(byte[] authKeyId)
Sets the authority key identifier criterion, or
null to clear
this criterion. |
void |
setBasicConstraints(int basicConstraints)
Sets the basic constraints criterion.
|
void |
setCertificate(X509Certificate cert)
Sets the certificate criterion.
|
void |
setCertificateValid(Date certValid)
Sets the date at which certificates must be valid.
|
void |
setExtendedKeyUsage(Set<String> keyPurposeSet)
Sets the extended key usage criterion, as a set of OID strings.
|
void |
setIssuer(byte[] name)
Sets the issuer, specified as the DER encoding of the issuer's
distinguished name.
|
void |
setIssuer(String name)
Sets the issuer, specified as a string representation of the issuer's
distinguished name.
|
void |
setKeyUsage(boolean[] keyUsage)
Sets the public key usage criterion.
|
void |
setMatchAllSubjectAltNames(boolean matchAllNames)
Sets whether or not all subject alternative names must be matched.
|
void |
setNameConstraints(byte[] nameConstraints)
Sets the name constraints criterion; specify
null to
clear this criterion. |
void |
setPathToNames(Collection<List<?>> names)
Sets the pathToNames criterion.
|
void |
setPolicy(Set<String> policy)
Sets the certificate policy to match, or null if this criterion should
not be checked.
|
void |
setPrivateKeyValid(Date UNUSED)
This method, and its related X.509 certificate extension — the
private key usage period — is not supported under the Internet
PKI for X.509 certificates (PKIX), described in RFC 3280.
|
void |
setSerialNumber(BigInteger serialNo)
Sets the serial number of the desired certificate.
|
void |
setSubject(byte[] name)
Sets the subject, specified as the DER encoding of the subject's
distinguished name.
|
void |
setSubject(String name)
Sets the subject, specified as a string representation of the
subject's distinguished name.
|
void |
setSubjectAlternativeNames(Collection<List<?>> altNames)
Sets the subject alternative names critertion.
|
void |
setSubjectKeyIdentifier(byte[] subjectKeyId)
Sets the subject key identifier criterion, or
null to clear
this criterion. |
void |
setSubjectPublicKey(byte[] key)
Sets the subject public key criterion as a DER-encoded key.
|
void |
setSubjectPublicKey(PublicKey key)
Sets the subject public key criterion as an opaque representation.
|
void |
setSubjectPublicKeyAlgID(String sigId)
Sets the public key algorithm ID that matching certificates must have.
|
String |
toString()
Convert this Object to a human-readable String.
|
public X509CertSelector()
X509Certificate
).public void addPathToName(int id, byte[] name) throws IOException
addSubjectAlternativeName(int, byte[])
for the
format of the GeneralName structure.id
- The name identifier. Must be between 0 and 8.name
- The DER-encoded bytes of the name to match.IOException
- If the name DER is malformed.public void addPathToName(int id, String name) throws IOException
addPathToName(int, byte[])
method whenever possible.id
- The name identifier. Must be between 0 and 8.name
- The name.IOException
- If the name cannot be decoded.public void addSubjectAlternativeName(int id, byte[] name) throws IOException
GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
id
- The type of name this is.name
- The DER-encoded name.IOException
- If the name is not a valid DER sequence.public void addSubjectAlternativeName(int id, String name) throws IOException
addSubjectAlternativeName(int, byte[])
method whenever possible.
This method can only decode certain name kinds of names as strings.id
- The type of name this is. Must be in the range [0,8].name
- The name.IOException
- If the id is out of range, or if the name
is null.public Object clone()
Object
o == o.clone()
is falseo.getClass() == o.clone().getClass()
is trueo.equals(o)
is trueHowever, these are not strict requirements, and may
be violated if necessary. Of the three requirements, the
last is the most commonly violated, particularly if the
subclass does not override Object.equals(Object)
.
If the Object you call clone() on does not implement
Cloneable
(which is a placeholder interface), then
a CloneNotSupportedException is thrown. Notice that
Object does not implement Cloneable; this method exists
as a convenience for subclasses that do.
Object's implementation of clone allocates space for the new Object using the correct class, without calling any constructors, and then fills in all of the new field values with the old field values. Thus, it is a shallow copy. However, subclasses are permitted to make a deep copy.
All array types implement Cloneable, and override
this method as follows (it should never fail):
public Object clone() { try { super.clone(); } catch (CloneNotSupportedException e) { throw new InternalError(e.getMessage()); } }
clone
in interface CertSelector
clone
in class Object
Cloneable
public byte[] getAuthorityKeyIdentifier()
null
if
this value was not set. Note that the byte array is cloned to prevent
modification.public int getBasicConstraints()
public X509Certificate getCertificate()
null
if this value
was not set.public Date getCertificateValid()
null
if this criterion was not set.public Set<String> getExtendedKeyUsage()
null
if this criterion is not
set.public byte[] getIssuerAsBytes() throws IOException
null
if this value was not set.IOException
public String getIssuerAsString()
null
if this
value was not set.public boolean[] getKeyUsage()
null
if this
value is not set. Note that the array is cloned to prevent modification.public boolean getMatchAllSubjectAltNames()
public byte[] getNameConstraints()
null
if this
value is not set. Note that the byte array is cloned to prevent
modification.public Collection<List<?>> getPathToNames()
public Set<String> getPolicy()
public Date getPrivateKeyValid()
Do not use this method. It is not deprecated, as it is not deprecated
in the Java standard, but it is basically a no-operation and simply
returns null
.
public BigInteger getSerialNumber()
null
if this
value was not set.public Collection<List<?>> getSubjectAlternativeNames()
Integer
containing the name type, and the second is a byte array containing
the DER-encoded name bytes.public byte[] getSubjectAsBytes() throws IOException
null
if this value is not set.IOException
public String getSubjectAsString()
null
if
this value was not set.public byte[] getSubjectKeyIdentifier()
null
if
this value was not set. Note that the byte array is cloned to prevent
modification.public PublicKey getSubjectPublicKey()
null
if this
value is not set.public String getSubjectPublicKeyAlgID()
null
if this criterion was not set.public boolean match(Certificate certificate)
true
if the given certificate matches.match
in interface CertSelector
certificate
- The certificate to check.public void setAuthorityKeyIdentifier(byte[] authKeyId)
null
to clear
this criterion. Note that the byte array is cloned to prevent modification.authKeyId
- The authority key identifier.public void setBasicConstraints(int basicConstraints)
basicConstraints
- The new basic constraints value.public void setCertificate(X509Certificate cert)
cert
- The certificate.public void setCertificateValid(Date certValid)
null
to clear this criterion.certValid
- The certificate validity date.public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException
null
to clear this value.keyPurposeSet
- The set of key purpose OIDs.IOException
- If any element of the set is not a valid OID string.public void setIssuer(byte[] name) throws IOException
name
- The DER encoding of the issuer's distinguished name.IOException
- If the given name is incorrectly formatted.public void setIssuer(String name) throws IOException
name
- The string representation of the issuer's distinguished name.IOException
- If the given name is incorrectly formatted.public void setKeyUsage(boolean[] keyUsage)
null
to clear
this value.keyUsage
- The public key usage.public void setMatchAllSubjectAltNames(boolean matchAllNames)
matchAllNames
- Whether or not all alternative names must be
matched.public void setNameConstraints(byte[] nameConstraints) throws IOException
null
to
clear this criterion. Note that if non-null, the argument will be
cloned to prevent modification.nameConstraints
- The new name constraints.IOException
- If the argument is not a valid DER-encoded
name constraints.public void setPathToNames(Collection<List<?>> names) throws IOException
Integer
giving
the ID of the name, and the second element is either a String
or a byte array.
See addPathToName(int, byte[])
and addPathToName(int, String)
for how these arguments are handled.names
- The names.IOException
- If any argument is malformed.public void setPolicy(Set<String> policy) throws IOException
policy
- The policy to match.IOException
- If some element of the policy is not a valid
policy extenison OID.public void setPrivateKeyValid(Date UNUSED)
Do not use this method. It is not deprecated, as it is not deprecated in the Java standard, but it is basically a no-operation.
UNUSED
- Is silently ignored.public void setSerialNumber(BigInteger serialNo)
serialNo
- The serial number.public void setSubject(byte[] name) throws IOException
name
- The DER encoding of the subject's distinguished name.IOException
- If the given name is incorrectly formatted.public void setSubject(String name) throws IOException
name
- The string representation of the subject's distinguished name.IOException
- If the given name is incorrectly formatted.public void setSubjectAlternativeNames(Collection<List<?>> altNames) throws IOException
List
that contains exactly two
elements: the first an Integer
, representing the type of
name, and the second either a String
or a byte array,
representing the name itself.altNames
- The alternative names.IOException
- If any element of the argument is invalid.public void setSubjectKeyIdentifier(byte[] subjectKeyId)
null
to clear
this criterion. Note that the byte array is cloned to prevent modification.subjectKeyId
- The subject key identifier.public void setSubjectPublicKey(byte[] key) throws IOException
null
to clear this value.key
- The DER-encoded key bytes.IOException
- If the argument is not a valid DER-encoded key.public void setSubjectPublicKey(PublicKey key)
null
to clear this criterion.key
- The public key.public void setSubjectPublicKeyAlgID(String sigId) throws IOException
null
to clear this criterion.sigId
- The public key ID.IOException
- If the specified ID is not a valid object identifier.public String toString()
Object
System.out.println()
and such.
It is typical, but not required, to ensure that this method
never completes abruptly with a RuntimeException
.
This method will be called when performing string
concatenation with this object. If the result is
null
, string concatenation will instead
use "null"
.
The default implementation returns
getClass().getName() + "@" +
Integer.toHexString(hashCode())
.
toString
in class Object
Object.getClass()
,
Object.hashCode()
,
Class.getName()
,
Integer.toHexString(int)