Prev Class | Next Class | Frames | No Frames |
Summary: Nested | Field | Method | Constr | Detail: Nested | Field | Method | Constr |
java.lang.Object
java.security.cert.X509CertSelector
CertSelector
for X.509 certificates,
which allows a number of criteria to be set when accepting certificates,
from validity dates, to issuer and subject distinguished names, to some
of the various X.509 extensions.
Use of this class requires extensive knowledge of the Internet
Engineering Task Force's Public Key Infrastructure (X.509). The primary
document describing this standard is RFC 3280: Internet X.509
Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) Profile.
Note that this class is not thread-safe. If multiple threads will
use or modify this class then they need to synchronize on the object.
Constructor Summary | |
|
Method Summary | |
void |
|
void |
|
Object |
|
byte[] |
|
int |
|
X509Certificate |
|
Date |
|
Set |
|
byte[] |
|
String |
|
boolean[] |
|
boolean |
|
byte[] |
|
Date |
|
BigInteger |
|
byte[] |
|
String |
|
byte[] |
|
PublicKey |
|
String |
|
boolean |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void | |
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
String |
|
Methods inherited from class java.lang.Object | |
clone , equals , finalize , getClass , hashCode , notify , notifyAll , toString , wait , wait , wait |
public X509CertSelector()
Creates a new X.509 certificate selector. The new selector will be empty, and will accept any certificate (provided that it is anX509Certificate
).
public void addSubjectAlternativeName(int id, byte[] name) throws IOException
Add a name, as DER-encoded bytes, to the subject alternative names criterion.
- Parameters:
id
- The type of name this is.
public void addSubjectAlternativeName(int id, String name) throws IOException
Add a name to the subject alternative names criterion.
- Parameters:
id
- The type of name this is. Must be in the range [0,8].name
- The name.
- Throws:
IOException
- If the id is out of range, or if the name is null.
public Object clone()
This method may be called to create a new copy of the Object. The typical behavior is as follows:
However, these are not strict requirements, and may be violated if necessary. Of the three requirements, the last is the most commonly violated, particularly if the subclass does not override
o == o.clone()
is falseo.getClass() == o.clone().getClass()
is trueo.equals(o)
is trueObject.equals(Object)
. If the Object you call clone() on does not implementCloneable
(which is a placeholder interface), then a CloneNotSupportedException is thrown. Notice that Object does not implement Cloneable; this method exists as a convenience for subclasses that do. Object's implementation of clone allocates space for the new Object using the correct class, without calling any constructors, and then fills in all of the new field values with the old field values. Thus, it is a shallow copy. However, subclasses are permitted to make a deep copy. All array types implement Cloneable, and override this method as follows (it should never fail):
public Object clone() { try { super.clone(); } catch (CloneNotSupportedException e) { throw new InternalError(e.getMessage()); } }
- Specified by:
- clone in interface CertSelector
- Returns:
- a copy of the Object
- See Also:
Cloneable
public byte[] getAuthorityKeyIdentifier()
Returns the authority key identifier criterion, ornull
if this value was not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The authority key identifier.
public int getBasicConstraints()
Returns the basic constraints criterion, or -1 if this value is not set.
- Returns:
- The basic constraints.
public X509Certificate getCertificate()
Returns the certificate criterion, ornull
if this value was not set.
- Returns:
- The certificate.
public Date getCertificateValid()
Returns the date at which certificates must be valid, ornull
if this criterion was not set.
- Returns:
- The target certificate valitity date.
public Set getExtendedKeyUsage()
Returns the set of extended key purpose IDs, as an unmodifiable set of OID strings. Returnsnull
if this criterion is not set.
- Returns:
- The set of key purpose OIDs (strings).
public byte[] getIssuerAsBytes() throws IOException
Returns the issuer criterion as a sequence of DER bytes, ornull
if this value was not set.
- Returns:
- The issuer.
public String getIssuerAsString()
Returns the issuer criterion as a string, ornull
if this value was not set.
- Returns:
- The issuer.
public boolean[] getKeyUsage()
Returns the public key usage criterion, ornull
if this value is not set. Note that the array is cloned to prevent modification.
- Returns:
- The public key usage.
public boolean getMatchAllSubjectAltNames()
Returns whether or not all specified alternative names must match. If false, a certificate is considered a match if one of the specified alternative names matches.
- Returns:
- true if all names must match.
public byte[] getNameConstraints()
Returns the name constraints criterion, ornull
if this value is not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The name constraints.
public Date getPrivateKeyValid()
This method, and its related X.509 certificate extension — the private key usage period — is not supported under the Internet PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this method is not supported either. Do not use this method. It is not deprecated, as it is not deprecated in the Java standard, but it is basically a no-operation and simply returnsnull
.
- Returns:
- Null.
public BigInteger getSerialNumber()
Returns the serial number criterion, ornull
if this value was not set.
- Returns:
- The serial number.
public byte[] getSubjectAsBytes() throws IOException
Returns the subject criterion as a sequence of DER bytes, ornull
if this value is not set.
- Returns:
- The subject.
public String getSubjectAsString()
Returns the subject criterion as a string, ofnull
if this value was not set.
- Returns:
- The subject.
public byte[] getSubjectKeyIdentifier()
Returns the subject key identifier criterion, ornull
if this value was not set. Note that the byte array is cloned to prevent modification.
- Returns:
- The subject key identifier.
public PublicKey getSubjectPublicKey()
Returns the subject public key criterion, ornull
if this value is not set.
- Returns:
- The subject public key.
public String getSubjectPublicKeyAlgID()
Returns the public key algorithm ID that matching certificates must have, ornull
if this criterion was not set.
- Returns:
- The public key algorithm ID.
public boolean match(Certificate certificate)
Match a certificate. This method will check the given certificate against all the enabled criteria of this selector, and will returntrue
if the given certificate matches.
- Specified by:
- match in interface CertSelector
- Parameters:
certificate
- The certificate to check.
- Returns:
- true if the certificate matches all criteria.
public void setAuthorityKeyIdentifier(byte[] authKeyId)
Sets the authority key identifier criterion, ornull
to clear this criterion. Note that the byte array is cloned to prevent modification.
- Parameters:
public void setBasicConstraints(int basicConstraints)
Sets the basic constraints criterion. Specify -1 to clear this parameter.
- Parameters:
basicConstraints
- The new basic constraints value.
public void setCertificate(X509Certificate cert)
Sets the certificate criterion. If set, only certificates that are equal to the certificate passed here will be accepted.
- Parameters:
cert
- The certificate.
public void setCertificateValid(Date certValid)
Sets the date at which certificates must be valid. Specifynull
to clear this criterion.
- Parameters:
certValid
- The certificate validity date.
public void setExtendedKeyUsage(Set keyPurposeSet) throws IOException
Sets the extended key usage criterion, as a set of OID strings. Specifynull
to clear this value.
- Parameters:
keyPurposeSet
- The set of key purpose OIDs.
- Throws:
IOException
- If any element of the set is not a valid OID string.
public void setIssuer(byte[] name) throws IOException
Sets the issuer, specified as the DER encoding of the issuer's distinguished name. Only certificates issued by this issuer will be accepted.
- Parameters:
name
- The DER encoding of the issuer's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setIssuer(String name) throws IOException
Sets the issuer, specified as a string representation of the issuer's distinguished name. Only certificates issued by this issuer will be accepted.
- Parameters:
name
- The string representation of the issuer's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setKeyUsage(boolean[] keyUsage)
Sets the public key usage criterion. Specifynull
to clear this value.
- Parameters:
keyUsage
- The public key usage.
public void setMatchAllSubjectAltNames(boolean matchAllNames)
Sets whether or not all subject alternative names must be matched. If false, then a certificate will be considered a match if one alternative name matches.
- Parameters:
matchAllNames
- Whether or not all alternative names must be matched.
public void setNameConstraints(byte[] nameConstraints) throws IOException
Sets the name constraints criterion; specifynull
to clear this criterion. Note that if non-null, the argument will be cloned to prevent modification.
- Parameters:
nameConstraints
- The new name constraints.
- Throws:
IOException
- If the argument is not a valid DER-encoded name constraints.
public void setPrivateKeyValid(Date UNUSED)
This method, and its related X.509 certificate extension — the private key usage period — is not supported under the Internet PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this method is not supported either. Do not use this method. It is not deprecated, as it is not deprecated in the Java standard, but it is basically a no-operation.
- Parameters:
UNUSED
- Is silently ignored.
public void setSerialNumber(BigInteger serialNo)
Sets the serial number of the desired certificate. Only certificates that contain this serial number are accepted.
- Parameters:
serialNo
- The serial number.
public void setSubject(byte[] name) throws IOException
Sets the subject, specified as the DER encoding of the subject's distinguished name. Only certificates with the given subject will be accepted.
- Parameters:
name
- The DER encoding of the subject's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setSubject(String name) throws IOException
Sets the subject, specified as a string representation of the subject's distinguished name. Only certificates with the given subject will be accepted.
- Parameters:
name
- The string representation of the subject's distinguished name.
- Throws:
IOException
- If the given name is incorrectly formatted.
public void setSubjectAlternativeNames(Collection altNames) throws IOException
Sets the subject alternative names critertion. Each element of the argument must be aList
that contains exactly two elements: the first anInteger
, representing the type of name, and the second either aString
or a byte array, representing the name itself.
- Parameters:
altNames
- The alternative names.
- Throws:
IOException
- If any element of the argument is invalid.
public void setSubjectKeyIdentifier(byte[] subjectKeyId)
Sets the subject key identifier criterion, ornull
to clear this criterion. Note that the byte array is cloned to prevent modification.
- Parameters:
subjectKeyId
- The subject key identifier.
public void setSubjectPublicKey(byte[] key) throws IOException
Sets the subject public key criterion as a DER-encoded key. Specifynull
to clear this value.
- Parameters:
key
- The DER-encoded key bytes.
- Throws:
IOException
- If the argument is not a valid DER-encoded key.
public void setSubjectPublicKey(PublicKey key)
Sets the subject public key criterion as an opaque representation. Specifynull
to clear this criterion.
- Parameters:
key
- The public key.
public void setSubjectPublicKeyAlgID(String sigId) throws IOException
Sets the public key algorithm ID that matching certificates must have. Specifynull
to clear this criterion.
- Parameters:
sigId
- The public key ID.
- Throws:
IOException
- If the specified ID is not a valid object identifier.
public String toString()
Convert this Object to a human-readable String. There are no limits placed on how long this String should be or what it should contain. We suggest you make it as intuitive as possible to be able to place it intoSystem.out.println()
and such. It is typical, but not required, to ensure that this method never completes abruptly with aRuntimeException
. This method will be called when performing string concatenation with this object. If the result isnull
, string concatenation will instead use"null"
. The default implementation returnsgetClass().getName() + "@" + Integer.toHexString(hashCode())
.
- Returns:
- the String representing this Object, which may be null