Package java.security.cert

Class X509CertSelector

    • Constructor Detail

      • X509CertSelector

        public X509CertSelector()
        Creates a new X509CertSelector.

    • Method Detail

      • setCertificate

        public void setCertificate​(X509Certificate certificate)
        Sets the certificate that a matching certificate must be equal to.
        Parameters:
        certificate - the certificate to match, or null to not check this criteria.

      • getCertificate

        public X509Certificate getCertificate()
        Returns the certificate that a matching certificate must be equal to.
        Returns:
        the certificate to match, or null if this criteria is not checked.

      • setSerialNumber

        public void setSerialNumber​(BigInteger serialNumber)
        Sets the serial number that a certificate must match.
        Parameters:
        serialNumber - the serial number to match, or null to not check the serial number.

      • getSerialNumber

        public BigInteger getSerialNumber()
        Returns the serial number that a certificate must match.
        Returns:
        the serial number to match, or null if the serial number is not to be checked.

      • setIssuer

        public void setIssuer​(X500Principal issuer)
        Sets the issuer that a certificate must match.
        Parameters:
        issuer - the issuer to match, or null if the issuer is not to be checked.

      • getIssuer

        public X500Principal getIssuer()
        Returns the issuer that a certificate must match.
        Returns:
        the issuer that a certificate must match, or null if the issuer is not to be checked.

      • setIssuer

        public void setIssuer​(String issuerName)
               throws IOException
        Do not use, use getIssuer() or getIssuerAsBytes() instead. Sets the issuer that a certificate must match.
        Parameters:
        issuerName - the issuer in a RFC 2253 format string, or null to not check the issuer.
        Throws:
        IOException - if parsing the issuer fails.

      • getIssuerAsString

        public String getIssuerAsString()
        Do not use, use getIssuer() or getIssuerAsBytes() instead. Returns the issuer that a certificate must match in a RFC 2253 format string.
        Returns:
        the issuer in a RFC 2253 format string, or null if the issuer is not to be checked.

      • setIssuer

        public void setIssuer​(byte[] issuerDN)
               throws IOException
        Sets the issuer that a certificate must match.
        Parameters:
        issuerDN - the distinguished issuer name in ASN.1 DER encoded format, or null to not check the issuer.
        Throws:
        IOException - if decoding the issuer fail.

      • getIssuerAsBytes

        public byte[] getIssuerAsBytes()
                        throws IOException
        Returns the issuer that a certificate must match.
        Returns:
        the distinguished issuer name in ASN.1 DER encoded format, or null if the issuer is not to be checked.
        Throws:
        IOException - if encoding the issuer fails.

      • setSubject

        public void setSubject​(X500Principal subject)
        Set the subject that a certificate must match.
        Parameters:
        subject - the subject distinguished name or null to not check the subject.

      • getSubject

        public X500Principal getSubject()
        Returns the subject that a certificate must match.
        Returns:
        the subject distinguished name, or null if the subject is not to be checked.

      • setSubject

        public void setSubject​(String subjectDN)
                throws IOException
        Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead. Returns the subject that a certificate must match.
        Parameters:
        subjectDN - the subject distinguished name in RFC 2253 format or null to not check the subject.
        Throws:
        IOException - if decoding the subject fails.

      • getSubjectAsString

        public String getSubjectAsString()
        Do not use, use getSubject() or getSubjectAsBytes() instead. Returns the subject that a certificate must match.
        Returns:
        the subject distinguished name in RFC 2253 format, or null if the subject is not to be checked.

      • setSubject

        public void setSubject​(byte[] subjectDN)
                throws IOException
        Sets the subject that a certificate must match.
        Parameters:
        subjectDN - the subject distinguished name in ASN.1 DER format, or null to not check the subject.
        Throws:
        IOException - if decoding the subject fails.

      • getSubjectAsBytes

        public byte[] getSubjectAsBytes()
                         throws IOException
        Returns the subject that a certificate must match.
        Returns:
        the subject distinguished name in ASN.1 DER format, or null if the subject is not to be checked.
        Throws:
        IOException - if encoding the subject fails.

      • setSubjectKeyIdentifier

        public void setSubjectKeyIdentifier​(byte[] subjectKeyIdentifier)
        Sets the criterion for the SubjectKeyIdentifier extension.

        The subjectKeyIdentifier should be a single DER encoded value.

        Parameters:
        subjectKeyIdentifier - the subject key identifier or null to disable this check.

      • getSubjectKeyIdentifier

        public byte[] getSubjectKeyIdentifier()
        Returns the criterion for the SubjectKeyIdentifier extension.
        Returns:
        the subject key identifier or null if it is not to be checked.

      • setAuthorityKeyIdentifier

        public void setAuthorityKeyIdentifier​(byte[] authorityKeyIdentifier)
        Sets the criterion for the AuthorityKeyIdentifier extension.
        Parameters:
        authorityKeyIdentifier - the authority key identifier, or null to disable this check.

      • getAuthorityKeyIdentifier

        public byte[] getAuthorityKeyIdentifier()
        Returns the criterion for the AuthorityKeyIdentifier extension.
        Returns:
        the authority key identifier, or null if it is not to be checked.

      • setCertificateValid

        public void setCertificateValid​(Date certificateValid)
        Sets the criterion for the validity date of the certificate.

        The certificate must be valid at the specified date.

        Parameters:
        certificateValid - the validity date or null to not check the date.

      • getCertificateValid

        public Date getCertificateValid()
        Returns the criterion for the validity date of the certificate.
        Returns:
        the validity date or null if the date is not to be checked.

      • setPrivateKeyValid

        public void setPrivateKeyValid​(Date privateKeyValid)
        Sets the criterion for the validity date of the private key.

        The private key must be valid at the specified date.

        Parameters:
        privateKeyValid - the validity date or null to not check the date.

      • getPrivateKeyValid

        public Date getPrivateKeyValid()
        Returns the criterion for the validity date of the private key.

        The private key must be valid at the specified date.

        Returns:
        the validity date or null if the date is not to be checked.

      • setSubjectPublicKeyAlgID

        public void setSubjectPublicKeyAlgID​(String oid)
                              throws IOException
        Sets the criterion for the subject public key signature algorithm.

        The certificate must contain a subject public key with the algorithm specified.

        Parameters:
        oid - the OID (object identifier) of the signature algorithm or null to not check the OID.
        Throws:
        IOException - if the specified object identifier is invalid.

      • getSubjectPublicKeyAlgID

        public String getSubjectPublicKeyAlgID()
        Returns the criterion for the subject public key signature algorithm.
        Returns:
        the OID (object identifier) or the signature algorithm or null if it's not to be checked.

      • setSubjectPublicKey

        public void setSubjectPublicKey​(PublicKey key)
        Sets the criterion for the subject public key.
        Parameters:
        key - the subject public key or null to not check the key.

      • setSubjectPublicKey

        public void setSubjectPublicKey​(byte[] key)
                         throws IOException
        Sets the criterion for the subject public key.
        Parameters:
        key - the subject public key in ASN.1 DER encoded format or null to not check the key.
        Throws:
        IOException - if decoding the the public key fails.

      • getSubjectPublicKey

        public PublicKey getSubjectPublicKey()
        Returns the criterion for the subject public key.
        Returns:
        the subject public key or null if the key is not to be checked.

      • setKeyUsage

        public void setKeyUsage​(boolean[] keyUsage)
        Sets the criterion for the KeyUsage extension.
        Parameters:
        keyUsage - the boolean array in the format as returned by X509Certificate.getKeyUsage(), or null to not check the key usage.

      • getKeyUsage

        public boolean[] getKeyUsage()
        Returns the criterion for the KeyUsage extension.
        Returns:
        the boolean array in the format as returned by X509Certificate.getKeyUsage(), or null if the key usage is not to be checked.

      • setExtendedKeyUsage

        public void setExtendedKeyUsage​(Set<String> keyUsage)
                         throws IOException
        Sets the criterion for the ExtendedKeyUsage extension.
        Parameters:
        keyUsage - the set of key usage OIDs, or null to not check it.
        Throws:
        IOException - if one of the OIDs is invalid.

      • getExtendedKeyUsage

        public Set<String> getExtendedKeyUsage()
        Returns the criterion for the ExtendedKeyUsage extension.
        Returns:
        the set of key usage OIDs, or null if it's not to be checked.

      • setSubjectAlternativeNames

        public void setSubjectAlternativeNames​(Collection<List<?>> names)
                                throws IOException
        Sets the criterion for subject alternative names.

        the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

        The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

        Parameters:
        names - the names collection or null to not perform this check.
        Throws:
        IOException - if the decoding of a name fails.

      • addSubjectAlternativeName

        public void addSubjectAlternativeName​(int tag,
                                      String name)
                               throws IOException
        Adds a subject alternative name to the respective criterion.
        Parameters:
        tag - the type of the name
        name - the name in string format.
        Throws:
        IOException - if parsing the name fails.

      • addSubjectAlternativeName

        public void addSubjectAlternativeName​(int tag,
                                      byte[] name)
                               throws IOException
        Adds a subject alternative name to the respective criterion.
        Parameters:
        tag - the type of the name.
        name - the name in ASN.1 DER encoded form.
        Throws:
        IOException - if the decoding of the name fails.

      • getSubjectAlternativeNames

        public Collection<List<?>> getSubjectAlternativeNames()
        Returns the criterion for subject alternative names.

        the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

        The subject alternative names is a collection with an entry for each name included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is byte array specifying the name in ASN.1 DER encoded form)

        Returns:
        the names collection or null if none specified.

      • setNameConstraints

        public void setNameConstraints​(byte[] bytes)
                        throws IOException
        Sets the criterion for the name constraints.

        The certificate must constraint subject and subject alternative names that match the specified name constraints.

        The name constraints in ASN.1: 

         NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

 GeneralSubtree ::= SEQUENCE {
        base                    GeneralName,
        minimum         [0]     BaseDistance DEFAULT 0,
        maximum         [1]     BaseDistance OPTIONAL }

 BaseDistance ::= INTEGER (0..MAX)

 GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER}
        Parameters:
        bytes - the name constraints in ASN.1 DER encoded format, or null to not check any constraints.
        Throws:
        IOException - if decoding the name constraints fail.

      • getNameConstraints

        public byte[] getNameConstraints()
        Returns the criterion for the name constraints.
        Returns:
        the name constraints or null if none specified.
        See Also:
        setNameConstraints(byte[])

      • setBasicConstraints

        public void setBasicConstraints​(int pathLen)
        Sets the criterion for the basic constraints extension.

        A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

        Parameters:
        pathLen - the value specifying the criterion.
        Throws:
        IllegalArgumentException - if pathLen is less than -2.

      • getBasicConstraints

        public int getBasicConstraints()
        Returns the criterion for the basic constraints extension.

        A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

        Returns:
        the value of the criterion.

      • setPolicy

        public void setPolicy​(Set<String> policies)
               throws IOException
        Sets the criterion for the policy constraint.

        The certificate must have at least one of the specified certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

        Parameters:
        policies - the certificate policy OIDs, an empty set, or null to not perform this check.
        Throws:
        IOException - if parsing the specified OIDs fails.

      • getPolicy

        public Set<String> getPolicy()
        Returns the criterion for the policy constraint.

        The certificate must have at least one of the certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

        Returns:
        the certificate policy OIDs, an empty set, or null if not to be checked.

      • setPathToNames

        public void setPathToNames​(Collection<List<?>> names)
                    throws IOException
        Sets the criterion for the pathToNames constraint.

        This allows to specify the complete set of names, a certificate's name constraints must permit.

        The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

        Parameters:
        names - the names collection or null to not perform this check.
        Throws:
        IOException - if decoding fails.

      • getPathToNames

        public Collection<List<?>> getPathToNames()
        Returns the criterion for the pathToNames constraint.

        The constraint is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is a byte array specifying the name in ASN.1 DER encoded form.

        Returns:
        the pathToNames constraint or null if none specified.

      • toString

        public String toString()
        Returns a string representation of this X509CertSelector instance.
        Overrides:
        toString in class Object
        Returns:
        a string representation of this X509CertSelector instance.

      • match

        public boolean match​(Certificate certificate)
        Returns whether the specified certificate matches all the criteria collected in this instance.
        Specified by:
        match in interface CertSelector
        Parameters:
        certificate - the certificate to check.
        Returns:
        true if the certificate matches all the criteria, otherwise false.

      • clone

        public Object clone()
        Clones this X509CertSelector instance.
        Specified by:
        clone in interface CertSelector
        Overrides:
        clone in class Object
        Returns:
        the cloned instance.