- java.lang.Object
-
- java.security.cert.X509CertSelector
-
- All Implemented Interfaces:
Cloneable,CertSelector
public class X509CertSelector extends Object implements CertSelector
ACertSelectorthat selectsX509Certificatesthat match all specified criteria. This class is particularly useful when selecting certificates from aCertStoreto build a PKIX-compliant certification path.When first constructed, an
X509CertSelectorhas no criteria enabled and each of thegetmethods return a default value (null, or-1for thegetBasicConstraintsmethod). Therefore, thematchmethod would returntruefor anyX509Certificate. Typically, several criteria are enabled (by callingsetIssuerorsetKeyUsage, for instance) and then theX509CertSelectoris passed toCertStore.getCertificatesor some similar method.Several criteria can be enabled (by calling
setIssuerandsetSerialNumber, for example) such that thematchmethod usually uniquely matches a singleX509Certificate. We say usually, since it is possible for two issuing CAs to have the same distinguished name and each issue a certificate with the same serial number. Other unique combinations include the issuer, subject, subjectKeyIdentifier and/or the subjectPublicKey criteria.Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 certificate extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.4
- See Also:
CertSelector,X509Certificate
-
-
Constructor Summary
Constructors Constructor Description X509CertSelector()Creates anX509CertSelector.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidaddPathToName(int type, byte[] name)Adds a name to the pathToNames criterion.voidaddPathToName(int type, String name)Adds a name to the pathToNames criterion.voidaddSubjectAlternativeName(int type, byte[] name)Adds a name to the subjectAlternativeNames criterion.voidaddSubjectAlternativeName(int type, String name)Adds a name to the subjectAlternativeNames criterion.Objectclone()Returns a copy of this object.byte[]getAuthorityKeyIdentifier()Returns the authorityKeyIdentifier criterion.intgetBasicConstraints()Returns the basic constraints constraint.X509CertificategetCertificate()Returns the certificateEquals criterion.DategetCertificateValid()Returns the certificateValid criterion.Set<String>getExtendedKeyUsage()Returns the extendedKeyUsage criterion.X500PrincipalgetIssuer()Returns the issuer criterion as anX500Principal.byte[]getIssuerAsBytes()Returns the issuer criterion as a byte array.StringgetIssuerAsString()Denigrated, use getIssuer() or getIssuerAsBytes() instead.boolean[]getKeyUsage()Returns the keyUsage criterion.booleangetMatchAllSubjectAltNames()Indicates if theX509Certificatemust contain all or at least one of the subjectAlternativeNames specified in thesetSubjectAlternativeNamesoraddSubjectAlternativeNamemethods.byte[]getNameConstraints()Returns the name constraints criterion.Collection<List<?>>getPathToNames()Returns a copy of the pathToNames criterion.Set<String>getPolicy()Returns the policy criterion.DategetPrivateKeyValid()Returns the privateKeyValid criterion.BigIntegergetSerialNumber()Returns the serialNumber criterion.X500PrincipalgetSubject()Returns the subject criterion as anX500Principal.Collection<List<?>>getSubjectAlternativeNames()Returns a copy of the subjectAlternativeNames criterion.byte[]getSubjectAsBytes()Returns the subject criterion as a byte array.StringgetSubjectAsString()Denigrated, use getSubject() or getSubjectAsBytes() instead.byte[]getSubjectKeyIdentifier()Returns the subjectKeyIdentifier criterion.PublicKeygetSubjectPublicKey()Returns the subjectPublicKey criterion.StringgetSubjectPublicKeyAlgID()Returns the subjectPublicKeyAlgID criterion.booleanmatch(Certificate cert)Decides whether aCertificateshould be selected.voidsetAuthorityKeyIdentifier(byte[] authorityKeyID)Sets the authorityKeyIdentifier criterion.voidsetBasicConstraints(int minMaxPathLen)Sets the basic constraints constraint.voidsetCertificate(X509Certificate cert)Sets the certificateEquals criterion.voidsetCertificateValid(Date certValid)Sets the certificateValid criterion.voidsetExtendedKeyUsage(Set<String> keyPurposeSet)Sets the extendedKeyUsage criterion.voidsetIssuer(byte[] issuerDN)Sets the issuer criterion.voidsetIssuer(String issuerDN)Denigrated, use setIssuer(X500Principal) or setIssuer(byte[]) instead.voidsetIssuer(X500Principal issuer)Sets the issuer criterion.voidsetKeyUsage(boolean[] keyUsage)Sets the keyUsage criterion.voidsetMatchAllSubjectAltNames(boolean matchAllNames)Enables/disables matching all of the subjectAlternativeNames specified in thesetSubjectAlternativeNamesoraddSubjectAlternativeNamemethods.voidsetNameConstraints(byte[] bytes)Sets the name constraints criterion.voidsetPathToNames(Collection<List<?>> names)Sets the pathToNames criterion.voidsetPolicy(Set<String> certPolicySet)Sets the policy constraint.voidsetPrivateKeyValid(Date privateKeyValid)Sets the privateKeyValid criterion.voidsetSerialNumber(BigInteger serial)Sets the serialNumber criterion.voidsetSubject(byte[] subjectDN)Sets the subject criterion.voidsetSubject(String subjectDN)Denigrated, use setSubject(X500Principal) or setSubject(byte[]) instead.voidsetSubject(X500Principal subject)Sets the subject criterion.voidsetSubjectAlternativeNames(Collection<List<?>> names)Sets the subjectAlternativeNames criterion.voidsetSubjectKeyIdentifier(byte[] subjectKeyID)Sets the subjectKeyIdentifier criterion.voidsetSubjectPublicKey(byte[] key)Sets the subjectPublicKey criterion.voidsetSubjectPublicKey(PublicKey key)Sets the subjectPublicKey criterion.voidsetSubjectPublicKeyAlgID(String oid)Sets the subjectPublicKeyAlgID criterion.StringtoString()Return a printable representation of theCertSelector.
-
-
-
Method Detail
-
setCertificate
public void setCertificate(X509Certificate cert)
Sets the certificateEquals criterion. The specifiedX509Certificatemust be equal to theX509Certificatepassed to thematchmethod. Ifnull, then this check is not applied.This method is particularly useful when it is necessary to match a single certificate. Although other criteria can be specified in conjunction with the certificateEquals criterion, it is usually not practical or necessary.
- Parameters:
cert- theX509Certificateto match (ornull)- See Also:
getCertificate()
-
setSerialNumber
public void setSerialNumber(BigInteger serial)
Sets the serialNumber criterion. The specified serial number must match the certificate serial number in theX509Certificate. Ifnull, any certificate serial number will do.- Parameters:
serial- the certificate serial number to match (ornull)- See Also:
getSerialNumber()
-
setIssuer
public void setIssuer(X500Principal issuer)
Sets the issuer criterion. The specified distinguished name must match the issuer distinguished name in theX509Certificate. Ifnull, any issuer distinguished name will do.- Parameters:
issuer- a distinguished name as X500Principal (ornull)- Since:
- 1.5
-
setIssuer
public void setIssuer(String issuerDN) throws IOException
Denigrated, use setIssuer(X500Principal) or setIssuer(byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Sets the issuer criterion. The specified distinguished name must match the issuer distinguished name in the
X509Certificate. Ifnull, any issuer distinguished name will do.If
issuerDNis notnull, it should contain a distinguished name, in RFC 2253 format.- Parameters:
issuerDN- a distinguished name in RFC 2253 format (ornull)- Throws:
IOException- if a parsing error occurs (incorrect form for DN)
-
setIssuer
public void setIssuer(byte[] issuerDN) throws IOExceptionSets the issuer criterion. The specified distinguished name must match the issuer distinguished name in theX509Certificate. Ifnullis specified, the issuer criterion is disabled and any issuer distinguished name will do.If
issuerDNis notnull, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType .... DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1.. MAX)), bmpString BMPString (SIZE (1..MAX)) }Note that the byte array specified here is cloned to protect against subsequent modifications.
- Parameters:
issuerDN- a byte array containing the distinguished name in ASN.1 DER encoded form (ornull)- Throws:
IOException- if an encoding error occurs (incorrect form for DN)
-
setSubject
public void setSubject(X500Principal subject)
Sets the subject criterion. The specified distinguished name must match the subject distinguished name in theX509Certificate. Ifnull, any subject distinguished name will do.- Parameters:
subject- a distinguished name as X500Principal (ornull)- Since:
- 1.5
-
setSubject
public void setSubject(String subjectDN) throws IOException
Denigrated, use setSubject(X500Principal) or setSubject(byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Sets the subject criterion. The specified distinguished name must match the subject distinguished name in the
X509Certificate. Ifnull, any subject distinguished name will do.If
subjectDNis notnull, it should contain a distinguished name, in RFC 2253 format.- Parameters:
subjectDN- a distinguished name in RFC 2253 format (ornull)- Throws:
IOException- if a parsing error occurs (incorrect form for DN)
-
setSubject
public void setSubject(byte[] subjectDN) throws IOExceptionSets the subject criterion. The specified distinguished name must match the subject distinguished name in theX509Certificate. Ifnull, any subject distinguished name will do.If
subjectDNis notnull, it should contain a single DER encoded distinguished name, as defined in X.501. For the ASN.1 notation for this structure, seesetIssuer(byte [] issuerDN).- Parameters:
subjectDN- a byte array containing the distinguished name in ASN.1 DER format (ornull)- Throws:
IOException- if an encoding error occurs (incorrect form for DN)
-
setSubjectKeyIdentifier
public void setSubjectKeyIdentifier(byte[] subjectKeyID)
Sets the subjectKeyIdentifier criterion. TheX509Certificatemust contain a SubjectKeyIdentifier extension for which the contents of the extension matches the specified criterion value. If the criterion value isnull, no subjectKeyIdentifier check will be done.If
subjectKeyIDis notnull, it should contain a single DER encoded value corresponding to the contents of the extension value (not including the object identifier, criticality setting, and encapsulating OCTET STRING) for a SubjectKeyIdentifier extension. The ASN.1 notation for this structure follows.SubjectKeyIdentifier ::= KeyIdentifier KeyIdentifier ::= OCTET STRINGSince the format of subject key identifiers is not mandated by any standard, subject key identifiers are not parsed by the
X509CertSelector. Instead, the values are compared using a byte-by-byte comparison.Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
subjectKeyID- the subject key identifier (ornull)- See Also:
getSubjectKeyIdentifier()
-
setAuthorityKeyIdentifier
public void setAuthorityKeyIdentifier(byte[] authorityKeyID)
Sets the authorityKeyIdentifier criterion. TheX509Certificatemust contain an AuthorityKeyIdentifier extension for which the contents of the extension value matches the specified criterion value. If the criterion value isnull, no authorityKeyIdentifier check will be done.If
authorityKeyIDis notnull, it should contain a single DER encoded value corresponding to the contents of the extension value (not including the object identifier, criticality setting, and encapsulating OCTET STRING) for an AuthorityKeyIdentifier extension. The ASN.1 notation for this structure follows.AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } KeyIdentifier ::= OCTET STRINGAuthority key identifiers are not parsed by the
X509CertSelector. Instead, the values are compared using a byte-by-byte comparison.When the
keyIdentifierfield ofAuthorityKeyIdentifieris populated, the value is usually taken from theSubjectKeyIdentifierextension in the issuer's certificate. Note, however, that the result ofX509Certificate.getExtensionValue(<SubjectKeyIdentifier Object Identifier>)on the issuer's certificate may NOT be used directly as the input tosetAuthorityKeyIdentifier. This is because the SubjectKeyIdentifier contains only a KeyIdentifier OCTET STRING, and not a SEQUENCE of KeyIdentifier, GeneralNames, and CertificateSerialNumber. In order to use the extension value of the issuer certificate'sSubjectKeyIdentifierextension, it will be necessary to extract the value of the embeddedKeyIdentifierOCTET STRING, then DER encode this OCTET STRING inside a SEQUENCE. For more details on SubjectKeyIdentifier, seesetSubjectKeyIdentifier(byte[] subjectKeyID).Note also that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
authorityKeyID- the authority key identifier (ornull)- See Also:
getAuthorityKeyIdentifier()
-
setCertificateValid
public void setCertificateValid(Date certValid)
Sets the certificateValid criterion. The specified date must fall within the certificate validity period for theX509Certificate. Ifnull, no certificateValid check will be done.Note that the
Datesupplied here is cloned to protect against subsequent modifications.- Parameters:
certValid- theDateto check (ornull)- See Also:
getCertificateValid()
-
setPrivateKeyValid
public void setPrivateKeyValid(Date privateKeyValid)
Sets the privateKeyValid criterion. The specified date must fall within the private key validity period for theX509Certificate. Ifnull, no privateKeyValid check will be done.Note that the
Datesupplied here is cloned to protect against subsequent modifications.- Parameters:
privateKeyValid- theDateto check (ornull)- See Also:
getPrivateKeyValid()
-
setSubjectPublicKeyAlgID
public void setSubjectPublicKeyAlgID(String oid) throws IOException
Sets the subjectPublicKeyAlgID criterion. TheX509Certificatemust contain a subject public key with the specified algorithm. Ifnull, no subjectPublicKeyAlgID check will be done.- Parameters:
oid- The object identifier (OID) of the algorithm to check for (ornull). An OID is represented by a set of nonnegative integers separated by periods.- Throws:
IOException- if the OID is invalid, such as the first component being not 0, 1 or 2 or the second component being greater than 39.- See Also:
getSubjectPublicKeyAlgID()
-
setSubjectPublicKey
public void setSubjectPublicKey(PublicKey key)
Sets the subjectPublicKey criterion. TheX509Certificatemust contain the specified subject public key. Ifnull, no subjectPublicKey check will be done.- Parameters:
key- the subject public key to check for (ornull)- See Also:
getSubjectPublicKey()
-
setSubjectPublicKey
public void setSubjectPublicKey(byte[] key) throws IOExceptionSets the subjectPublicKey criterion. TheX509Certificatemust contain the specified subject public key. Ifnull, no subjectPublicKey check will be done.Because this method allows the public key to be specified as a byte array, it may be used for unknown key types.
If
keyis notnull, it should contain a single DER encoded SubjectPublicKeyInfo structure, as defined in X.509. The ASN.1 notation for this structure is as follows.SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier valueNote that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
key- a byte array containing the subject public key in ASN.1 DER form (ornull)- Throws:
IOException- if an encoding error occurs (incorrect form for subject public key)- See Also:
getSubjectPublicKey()
-
setKeyUsage
public void setKeyUsage(boolean[] keyUsage)
Sets the keyUsage criterion. TheX509Certificatemust allow the specified keyUsage values. Ifnull, no keyUsage check will be done. Note that anX509Certificatethat has no keyUsage extension implicitly allows all keyUsage values.Note that the boolean array supplied here is cloned to protect against subsequent modifications.
- Parameters:
keyUsage- a boolean array in the same format as the boolean array returned byX509Certificate.getKeyUsage(). Ornull.- See Also:
getKeyUsage()
-
setExtendedKeyUsage
public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException
Sets the extendedKeyUsage criterion. TheX509Certificatemust allow the specified key purposes in its extended key usage extension. IfkeyPurposeSetis empty ornull, no extendedKeyUsage check will be done. Note that anX509Certificatethat has no extendedKeyUsage extension implicitly allows all key purposes.Note that the
Setis cloned to protect against subsequent modifications.- Parameters:
keyPurposeSet- aSetof key purpose OIDs in string format (ornull). Each OID is represented by a set of nonnegative integers separated by periods.- Throws:
IOException- if the OID is invalid, such as the first component being not 0, 1 or 2 or the second component being greater than 39.- See Also:
getExtendedKeyUsage()
-
setMatchAllSubjectAltNames
public void setMatchAllSubjectAltNames(boolean matchAllNames)
Enables/disables matching all of the subjectAlternativeNames specified in thesetSubjectAlternativeNamesoraddSubjectAlternativeNamemethods. If enabled, theX509Certificatemust contain all of the specified subject alternative names. If disabled, theX509Certificatemust contain at least one of the specified subject alternative names.The matchAllNames flag is
trueby default.- Parameters:
matchAllNames- iftrue, the flag is enabled; iffalse, the flag is disabled.- See Also:
getMatchAllSubjectAltNames()
-
setSubjectAlternativeNames
public void setSubjectAlternativeNames(Collection<List<?>> names) throws IOException
Sets the subjectAlternativeNames criterion. TheX509Certificatemust contain all or at least one of the specified subjectAlternativeNames, depending on the value of the matchAllNames flag (seesetMatchAllSubjectAltNames).This method allows the caller to specify, with a single method call, the complete set of subject alternative names for the subjectAlternativeNames criterion. The specified value replaces the previous value for the subjectAlternativeNames criterion.
The
namesparameter (if notnull) is aCollectionwith one entry for each name to be included in the subject alternative name criterion. Each entry is aListwhose first entry is anInteger(the name type, 0-8) and whose second entry is aStringor a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Ifnullis supplied as the value for this argument, no subjectAlternativeNames check will be performed.Each subject alternative name in the
Collectionmay be specified either as aStringor as an ASN.1 encoded byte array. For more details about the formats used, seeaddSubjectAlternativeName(int type, String name)andaddSubjectAlternativeName(int type, byte [] name).Note: for distinguished names, specify the byte array form instead of the String form. See the note in
addSubjectAlternativeName(int, String)for more information.Note that the
namesparameter can contain duplicate names (same name and name type), but they may be removed from theCollectionof names returned by thegetSubjectAlternativeNamesmethod.Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Parameters:
names- aCollectionof names (ornull)- Throws:
IOException- if a parsing error occurs- See Also:
getSubjectAlternativeNames()
-
addSubjectAlternativeName
public void addSubjectAlternativeName(int type, String name) throws IOExceptionAdds a name to the subjectAlternativeNames criterion. TheX509Certificatemust contain all or at least one of the specified subjectAlternativeNames, depending on the value of the matchAllNames flag (seesetMatchAllSubjectAltNames).This method allows the caller to add a name to the set of subject alternative names. The specified name is added to any previous value for the subjectAlternativeNames criterion. If the specified name is a duplicate, it may be ignored.
The name is provided in string format. RFC 822, DNS, and URI names use the well-established string formats for those types (subject to the restrictions included in RFC 5280). IPv4 address names are supplied using dotted quad notation. OID address names are represented as a series of nonnegative integers separated by periods. And directory names (distinguished names) are supplied in RFC 2253 format. No standard string format is defined for otherNames, X.400 names, EDI party names, IPv6 address names, or any other type of names. They should be specified using the
addSubjectAlternativeName(int type, byte [] name)method.Note: for distinguished names, use addSubjectAlternativeName(int, byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.
- Parameters:
type- the name type (0-8, as specified in RFC 5280, section 4.2.1.6)name- the name in string form (notnull)- Throws:
IOException- if a parsing error occurs
-
addSubjectAlternativeName
public void addSubjectAlternativeName(int type, byte[] name) throws IOExceptionAdds a name to the subjectAlternativeNames criterion. TheX509Certificatemust contain all or at least one of the specified subjectAlternativeNames, depending on the value of the matchAllNames flag (seesetMatchAllSubjectAltNames).This method allows the caller to add a name to the set of subject alternative names. The specified name is added to any previous value for the subjectAlternativeNames criterion. If the specified name is a duplicate, it may be ignored.
The name is provided as a byte array. This byte array should contain the DER encoded name, as it would appear in the GeneralName structure defined in RFC 5280 and X.509. The encoded byte array should only contain the encoded value of the name, and should not include the tag associated with the name in the GeneralName structure. The ASN.1 definition of this structure appears below.
GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER}Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
type- the name type (0-8, as listed above)name- a byte array containing the name in ASN.1 DER encoded form- Throws:
IOException- if a parsing error occurs
-
setNameConstraints
public void setNameConstraints(byte[] bytes) throws IOExceptionSets the name constraints criterion. TheX509Certificatemust have subject and subject alternative names that meet the specified name constraints.The name constraints are specified as a byte array. This byte array should contain the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 definition of this structure appears below.
NameConstraints ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL } GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER (0..MAX) GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER}Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
bytes- a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Can benull, in which case no name constraints check will be performed.- Throws:
IOException- if a parsing error occurs- See Also:
getNameConstraints()
-
setBasicConstraints
public void setBasicConstraints(int minMaxPathLen)
Sets the basic constraints constraint. If the value is greater than or equal to zero,X509Certificatesmust include a basicConstraints extension with a pathLen of at least this value. If the value is -2, only end-entity certificates are accepted. If the value is -1, no check is done.This constraint is useful when building a certification path forward (from the target toward the trust anchor. If a partial path has been built, any candidate certificate must have a maxPathLen value greater than or equal to the number of certificates in the partial path.
- Parameters:
minMaxPathLen- the value for the basic constraints constraint- Throws:
IllegalArgumentException- if the value is less than -2- See Also:
getBasicConstraints()
-
setPolicy
public void setPolicy(Set<String> certPolicySet) throws IOException
Sets the policy constraint. TheX509Certificatemust include at least one of the specified policies in its certificate policies extension. IfcertPolicySetis empty, then theX509Certificatemust include at least some specified policy in its certificate policies extension. IfcertPolicySetisnull, no policy check will be performed.Note that the
Setis cloned to protect against subsequent modifications.- Parameters:
certPolicySet- aSetof certificate policy OIDs in string format (ornull). Each OID is represented by a set of nonnegative integers separated by periods.- Throws:
IOException- if a parsing error occurs on the OID such as the first component is not 0, 1 or 2 or the second component is greater than 39.- See Also:
getPolicy()
-
setPathToNames
public void setPathToNames(Collection<List<?>> names) throws IOException
Sets the pathToNames criterion. TheX509Certificatemust not include name constraints that would prohibit building a path to the specified names.This method allows the caller to specify, with a single method call, the complete set of names which the
X509Certificates's name constraints must permit. The specified value replaces the previous value for the pathToNames criterion.This constraint is useful when building a certification path forward (from the target toward the trust anchor. If a partial path has been built, any candidate certificate must not include name constraints that would prohibit building a path to any of the names in the partial path.
The
namesparameter (if notnull) is aCollectionwith one entry for each name to be included in the pathToNames criterion. Each entry is aListwhose first entry is anInteger(the name type, 0-8) and whose second entry is aStringor a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Ifnullis supplied as the value for this argument, no pathToNames check will be performed.Each name in the
Collectionmay be specified either as aStringor as an ASN.1 encoded byte array. For more details about the formats used, seeaddPathToName(int type, String name)andaddPathToName(int type, byte [] name).Note: for distinguished names, specify the byte array form instead of the String form. See the note in
addPathToName(int, String)for more information.Note that the
namesparameter can contain duplicate names (same name and name type), but they may be removed from theCollectionof names returned by thegetPathToNamesmethod.Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Parameters:
names- aCollectionwith one entry per name (ornull)- Throws:
IOException- if a parsing error occurs- See Also:
getPathToNames()
-
addPathToName
public void addPathToName(int type, String name) throws IOExceptionAdds a name to the pathToNames criterion. TheX509Certificatemust not include name constraints that would prohibit building a path to the specified name.This method allows the caller to add a name to the set of names which the
X509Certificates's name constraints must permit. The specified name is added to any previous value for the pathToNames criterion. If the name is a duplicate, it may be ignored.The name is provided in string format. RFC 822, DNS, and URI names use the well-established string formats for those types (subject to the restrictions included in RFC 5280). IPv4 address names are supplied using dotted quad notation. OID address names are represented as a series of nonnegative integers separated by periods. And directory names (distinguished names) are supplied in RFC 2253 format. No standard string format is defined for otherNames, X.400 names, EDI party names, IPv6 address names, or any other type of names. They should be specified using the
addPathToName(int type, byte [] name)method.Note: for distinguished names, use addPathToName(int, byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.
- Parameters:
type- the name type (0-8, as specified in RFC 5280, section 4.2.1.6)name- the name in string form- Throws:
IOException- if a parsing error occurs
-
addPathToName
public void addPathToName(int type, byte[] name) throws IOExceptionAdds a name to the pathToNames criterion. TheX509Certificatemust not include name constraints that would prohibit building a path to the specified name.This method allows the caller to add a name to the set of names which the
X509Certificates's name constraints must permit. The specified name is added to any previous value for the pathToNames criterion. If the name is a duplicate, it may be ignored.The name is provided as a byte array. This byte array should contain the DER encoded name, as it would appear in the GeneralName structure defined in RFC 5280 and X.509. The ASN.1 definition of this structure appears in the documentation for
addSubjectAlternativeName(int type, byte [] name).Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
type- the name type (0-8, as specified in RFC 5280, section 4.2.1.6)name- a byte array containing the name in ASN.1 DER encoded form- Throws:
IOException- if a parsing error occurs
-
getCertificate
public X509Certificate getCertificate()
Returns the certificateEquals criterion. The specifiedX509Certificatemust be equal to theX509Certificatepassed to thematchmethod. Ifnull, this check is not applied.- Returns:
- the
X509Certificateto match (ornull) - See Also:
setCertificate(java.security.cert.X509Certificate)
-
getSerialNumber
public BigInteger getSerialNumber()
Returns the serialNumber criterion. The specified serial number must match the certificate serial number in theX509Certificate. Ifnull, any certificate serial number will do.- Returns:
- the certificate serial number to match
(or
null) - See Also:
setSerialNumber(java.math.BigInteger)
-
getIssuer
public X500Principal getIssuer()
Returns the issuer criterion as anX500Principal. This distinguished name must match the issuer distinguished name in theX509Certificate. Ifnull, the issuer criterion is disabled and any issuer distinguished name will do.- Returns:
- the required issuer distinguished name as X500Principal
(or
null) - Since:
- 1.5
-
getIssuerAsString
public String getIssuerAsString()
Denigrated, use getIssuer() or getIssuerAsBytes() instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Returns the issuer criterion as a
String. This distinguished name must match the issuer distinguished name in theX509Certificate. Ifnull, the issuer criterion is disabled and any issuer distinguished name will do.If the value returned is not
null, it is a distinguished name, in RFC 2253 format.- Returns:
- the required issuer distinguished name in RFC 2253 format
(or
null)
-
getIssuerAsBytes
public byte[] getIssuerAsBytes() throws IOExceptionReturns the issuer criterion as a byte array. This distinguished name must match the issuer distinguished name in theX509Certificate. Ifnull, the issuer criterion is disabled and any issuer distinguished name will do.If the value returned is not
null, it is a byte array containing a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is supplied in the documentation forsetIssuer(byte [] issuerDN).Note that the byte array returned is cloned to protect against subsequent modifications.
- Returns:
- a byte array containing the required issuer distinguished name
in ASN.1 DER format (or
null) - Throws:
IOException- if an encoding error occurs
-
getSubject
public X500Principal getSubject()
Returns the subject criterion as anX500Principal. This distinguished name must match the subject distinguished name in theX509Certificate. Ifnull, the subject criterion is disabled and any subject distinguished name will do.- Returns:
- the required subject distinguished name as X500Principal
(or
null) - Since:
- 1.5
-
getSubjectAsString
public String getSubjectAsString()
Denigrated, use getSubject() or getSubjectAsBytes() instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Returns the subject criterion as a
String. This distinguished name must match the subject distinguished name in theX509Certificate. Ifnull, the subject criterion is disabled and any subject distinguished name will do.If the value returned is not
null, it is a distinguished name, in RFC 2253 format.- Returns:
- the required subject distinguished name in RFC 2253 format
(or
null)
-
getSubjectAsBytes
public byte[] getSubjectAsBytes() throws IOExceptionReturns the subject criterion as a byte array. This distinguished name must match the subject distinguished name in theX509Certificate. Ifnull, the subject criterion is disabled and any subject distinguished name will do.If the value returned is not
null, it is a byte array containing a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is supplied in the documentation forsetSubject(byte [] subjectDN).Note that the byte array returned is cloned to protect against subsequent modifications.
- Returns:
- a byte array containing the required subject distinguished name
in ASN.1 DER format (or
null) - Throws:
IOException- if an encoding error occurs
-
getSubjectKeyIdentifier
public byte[] getSubjectKeyIdentifier()
Returns the subjectKeyIdentifier criterion. TheX509Certificatemust contain a SubjectKeyIdentifier extension with the specified value. Ifnull, no subjectKeyIdentifier check will be done.Note that the byte array returned is cloned to protect against subsequent modifications.
- Returns:
- the key identifier (or
null) - See Also:
setSubjectKeyIdentifier(byte[])
-
getAuthorityKeyIdentifier
public byte[] getAuthorityKeyIdentifier()
Returns the authorityKeyIdentifier criterion. TheX509Certificatemust contain a AuthorityKeyIdentifier extension with the specified value. Ifnull, no authorityKeyIdentifier check will be done.Note that the byte array returned is cloned to protect against subsequent modifications.
- Returns:
- the key identifier (or
null) - See Also:
setAuthorityKeyIdentifier(byte[])
-
getCertificateValid
public Date getCertificateValid()
Returns the certificateValid criterion. The specified date must fall within the certificate validity period for theX509Certificate. Ifnull, no certificateValid check will be done.Note that the
Datereturned is cloned to protect against subsequent modifications.- Returns:
- the
Dateto check (ornull) - See Also:
setCertificateValid(java.util.Date)
-
getPrivateKeyValid
public Date getPrivateKeyValid()
Returns the privateKeyValid criterion. The specified date must fall within the private key validity period for theX509Certificate. Ifnull, no privateKeyValid check will be done.Note that the
Datereturned is cloned to protect against subsequent modifications.- Returns:
- the
Dateto check (ornull) - See Also:
setPrivateKeyValid(java.util.Date)
-
getSubjectPublicKeyAlgID
public String getSubjectPublicKeyAlgID()
Returns the subjectPublicKeyAlgID criterion. TheX509Certificatemust contain a subject public key with the specified algorithm. Ifnull, no subjectPublicKeyAlgID check will be done.- Returns:
- the object identifier (OID) of the signature algorithm to check
for (or
null). An OID is represented by a set of nonnegative integers separated by periods. - See Also:
setSubjectPublicKeyAlgID(java.lang.String)
-
getSubjectPublicKey
public PublicKey getSubjectPublicKey()
Returns the subjectPublicKey criterion. TheX509Certificatemust contain the specified subject public key. Ifnull, no subjectPublicKey check will be done.- Returns:
- the subject public key to check for (or
null) - See Also:
setSubjectPublicKey(java.security.PublicKey)
-
getKeyUsage
public boolean[] getKeyUsage()
Returns the keyUsage criterion. TheX509Certificatemust allow the specified keyUsage values. If null, no keyUsage check will be done.Note that the boolean array returned is cloned to protect against subsequent modifications.
- Returns:
- a boolean array in the same format as the boolean
array returned by
X509Certificate.getKeyUsage(). Ornull. - See Also:
setKeyUsage(boolean[])
-
getExtendedKeyUsage
public Set<String> getExtendedKeyUsage()
Returns the extendedKeyUsage criterion. TheX509Certificatemust allow the specified key purposes in its extended key usage extension. If thekeyPurposeSetreturned is empty ornull, no extendedKeyUsage check will be done. Note that anX509Certificatethat has no extendedKeyUsage extension implicitly allows all key purposes.- Returns:
- an immutable
Setof key purpose OIDs in string format (ornull) - See Also:
setExtendedKeyUsage(java.util.Set<java.lang.String>)
-
getMatchAllSubjectAltNames
public boolean getMatchAllSubjectAltNames()
Indicates if theX509Certificatemust contain all or at least one of the subjectAlternativeNames specified in thesetSubjectAlternativeNamesoraddSubjectAlternativeNamemethods. Iftrue, theX509Certificatemust contain all of the specified subject alternative names. Iffalse, theX509Certificatemust contain at least one of the specified subject alternative names.- Returns:
trueif the flag is enabled;falseif the flag is disabled. The flag istrueby default.- See Also:
setMatchAllSubjectAltNames(boolean)
-
getSubjectAlternativeNames
public Collection<List<?>> getSubjectAlternativeNames()
Returns a copy of the subjectAlternativeNames criterion. TheX509Certificatemust contain all or at least one of the specified subjectAlternativeNames, depending on the value of the matchAllNames flag (seegetMatchAllSubjectAltNames). If the value returned isnull, no subjectAlternativeNames check will be performed.If the value returned is not
null, it is aCollectionwith one entry for each name to be included in the subject alternative name criterion. Each entry is aListwhose first entry is anInteger(the name type, 0-8) and whose second entry is aStringor a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Note that theCollectionreturned may contain duplicate names (same name and name type).Each subject alternative name in the
Collectionmay be specified either as aStringor as an ASN.1 encoded byte array. For more details about the formats used, seeaddSubjectAlternativeName(int type, String name)andaddSubjectAlternativeName(int type, byte [] name).Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Returns:
- a
Collectionof names (ornull) - See Also:
setSubjectAlternativeNames(java.util.Collection<java.util.List<?>>)
-
getNameConstraints
public byte[] getNameConstraints()
Returns the name constraints criterion. TheX509Certificatemust have subject and subject alternative names that meet the specified name constraints.The name constraints are returned as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for
setNameConstraints(byte [] bytes).Note that the byte array returned is cloned to protect against subsequent modifications.
- Returns:
- a byte array containing the ASN.1 DER encoding of
a NameConstraints extension used for checking name constraints.
nullif no name constraints check will be performed. - See Also:
setNameConstraints(byte[])
-
getBasicConstraints
public int getBasicConstraints()
Returns the basic constraints constraint. If the value is greater than or equal to zero, theX509Certificatesmust include a basicConstraints extension with a pathLen of at least this value. If the value is -2, only end-entity certificates are accepted. If the value is -1, no basicConstraints check is done.- Returns:
- the value for the basic constraints constraint
- See Also:
setBasicConstraints(int)
-
getPolicy
public Set<String> getPolicy()
Returns the policy criterion. TheX509Certificatemust include at least one of the specified policies in its certificate policies extension. If theSetreturned is empty, then theX509Certificatemust include at least some specified policy in its certificate policies extension. If theSetreturned isnull, no policy check will be performed.- Returns:
- an immutable
Setof certificate policy OIDs in string format (ornull) - See Also:
setPolicy(java.util.Set<java.lang.String>)
-
getPathToNames
public Collection<List<?>> getPathToNames()
Returns a copy of the pathToNames criterion. TheX509Certificatemust not include name constraints that would prohibit building a path to the specified names. If the value returned isnull, no pathToNames check will be performed.If the value returned is not
null, it is aCollectionwith one entry for each name to be included in the pathToNames criterion. Each entry is aListwhose first entry is anInteger(the name type, 0-8) and whose second entry is aStringor a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Note that theCollectionreturned may contain duplicate names (same name and name type).Each name in the
Collectionmay be specified either as aStringor as an ASN.1 encoded byte array. For more details about the formats used, seeaddPathToName(int type, String name)andaddPathToName(int type, byte [] name).Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Returns:
- a
Collectionof names (ornull) - See Also:
setPathToNames(java.util.Collection<java.util.List<?>>)
-
toString
public String toString()
Return a printable representation of theCertSelector.
-
match
public boolean match(Certificate cert)
Decides whether aCertificateshould be selected.- Specified by:
matchin interfaceCertSelector- Parameters:
cert- theCertificateto be checked- Returns:
trueif theCertificateshould be selected,falseotherwise
-
-