Top Description Fields Constructors Methods
java.security.cert

public Class X509CertSelector

extends Object
implements CertSelector
Class Inheritance
All Implemented Interfaces
java.security.cert.CertSelector, java.lang.Cloneable
Known Direct Subclasses
sun.security.provider.certpath.AdaptableX509CertSelector, sun.security.provider.certpath.RevocationChecker.RejectKeySelector
Imports
java.io.IOException, java.math.BigInteger, java.security.PublicKey, java.util.*, javax.security.auth.x500.X500Principal, sun.security.util.*, sun.security.x509.*
A CertSelector that selects X509Certificates that match all specified criteria. This class is particularly useful when selecting certificates from a CertStore to build a PKIX-compliant certification path.

When first constructed, an X509CertSelector has no criteria enabled and each of the get methods return a default value (null, or -1 for the getBasicConstraints method). Therefore, the match method would return true for any X509Certificate. Typically, several criteria are enabled (by calling setIssuer(X500Principal) or setKeyUsage, for instance) and then the X509CertSelector is passed to CertStore.getCertificates or some similar method.

Several criteria can be enabled (by calling setIssuer(X500Principal) and setSerialNumber, for example) such that the match method usually uniquely matches a single X509Certificate. We say usually, since it is possible for two issuing CAs to have the same distinguished name and each issue a certificate with the same serial number. Other unique combinations include the issuer, subject, subjectKeyIdentifier and/or the subjectPublicKey criteria.

Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 certificate extensions mentioned below.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Author
Steve Hanna
Since
1.4
See Also
CertSelector, X509Certificate

Field Summary

Modifier and TypeField and Description
private static final ObjectIdentifier
ANY_EXTENDED_KEY_USAGE

private byte[]
authorityKeyID

private int
basicConstraints

private Date
certificateValid

private static final Debug
debug

private static final Boolean
FALSE

private X500Principal
issuer

private Set<ObjectIdentifier>
keyPurposeOIDSet

private Set<String>
keyPurposeSet

private boolean[]
keyUsage

private boolean
matchAllSubjectAltNames

pack-priv static final int
NAME_ANY

pack-priv static final int
NAME_DIRECTORY

pack-priv static final int
NAME_DNS

pack-priv static final int
NAME_EDI

pack-priv static final int
NAME_IP

pack-priv static final int
NAME_OID

pack-priv static final int
NAME_RFC822

pack-priv static final int
NAME_URI

pack-priv static final int
NAME_X400

private NameConstraintsExtension
nc

private byte[]
ncBytes

private Set<GeneralNameInterface>
pathToGeneralNames

private Set<List<?>>
pathToNames

private CertificatePolicySet
policy

private Set<String>
policySet

private Date
privateKeyValid

private BigInteger
serialNumber

private X500Principal
subject

private Set<GeneralNameInterface>
subjectAlternativeGeneralNames

private Set<List<?>>
subjectAlternativeNames

private byte[]
subjectKeyID

private PublicKey
subjectPublicKey

private ObjectIdentifier
subjectPublicKeyAlgID

private byte[]
subjectPublicKeyBytes

private X509Certificate
x509Cert

Constructor Summary

AccessConstructor and Description
public
X509CertSelector()

Creates an X509CertSelector.

Method Summary

Modifier and TypeMethod and Description
public void
addPathToName(int
the name type (0-8, as specified in RFC 5280, section 4.2.1.6)
type, String
the name in string form
name)

Adds a name to the pathToNames criterion.

public void
addPathToName(int
the name type (0-8, as specified in RFC 5280, section 4.2.1.6)
type, byte[]
a byte array containing the name in ASN.1 DER encoded form
name)

Adds a name to the pathToNames criterion.

private void
addPathToNameInternal(int
the name type (0-8, as specified in RFC 5280, section 4.2.1.6)
type, Object
the name in string or byte array form
name)

A private method that adds a name (String or byte array) to the pathToNames criterion.

public void
addSubjectAlternativeName(int
the name type (0-8, as specified in RFC 5280, section 4.2.1.6)
type, String
the name in string form (not null)
name)

Adds a name to the subjectAlternativeNames criterion.

public void
addSubjectAlternativeName(int
the name type (0-8, as listed above)
type, byte[]
a byte array containing the name in ASN.1 DER encoded form
name)

Adds a name to the subjectAlternativeNames criterion.

private void
addSubjectAlternativeNameInternal(int
the name type (0-8, as specified in RFC 5280, section 4.2.1.6)
type, Object
the name in string or byte array form
name)

A private method that adds a name (String or byte array) to the subjectAlternativeNames criterion.

public Object

Returns:

the copy
clone()

Overrides java.lang.Object.clone.

Implements java.security.cert.CertSelector.clone.

Returns a copy of this object.

private static Set<List<?>>

Returns:

a deep copy of the specified Collection
cloneAndCheckNames(Collection<List<?>>
a Collection with one entry per name. Each entry is a List whose first entry is an Integer (the name type, 0-8) and whose second entry is a String or a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. null is not an acceptable value.
names)

Clone and check an argument of the form passed to setSubjectAlternativeNames and setPathToNames.

private static Set<List<?>>

Returns:

a deep copy of the specified Collection
cloneNames(Collection<List<?>>
a Collection with one entry per name. Each entry is a List whose first entry is an Integer (the name type, 0-8) and whose second entry is a String or a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Null is not an acceptable value.
names)

Clone an object of the form passed to setSubjectAlternativeNames and setPathToNames.

private static <T> Set<T>
cloneSet(Set<T> set)

pack-priv static boolean

Returns:

true if the objects are equal, false otherwise
equalNames(Collection<?>
a Collection containing the first object to compare
object1, Collection<?>
a Collection containing the second object to compare
object2)

Compare for equality two objects of the form passed to setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames).

public byte[]

Returns:

the key identifier (or null)
getAuthorityKeyIdentifier()

Returns the authorityKeyIdentifier criterion.

public int

Returns:

the value for the basic constraints constraint
getBasicConstraints()

Returns the basic constraints constraint.

public X509Certificate

Returns:

the X509Certificate to match (or null)
getCertificate()

Returns the certificateEquals criterion.

public Date

Returns:

the Date to check (or null)
getCertificateValid()

Returns the certificateValid criterion.

public Set<String>

Returns:

an immutable Set of key purpose OIDs in string format (or null)
getExtendedKeyUsage()

Returns the extendedKeyUsage criterion.

private static Extension

Returns:

an Extension object whose real type is as specified by the extension oid.
getExtensionObject(X509Certificate
a X509Certificate
cert, KnownOIDs
an integer which specifies the extension index. Currently, the supported extensions are as follows: index 0 - PrivateKeyUsageExtension index 1 - SubjectAlternativeNameExtension index 2 - NameConstraintsExtension index 3 - CertificatePoliciesExtension index 4 - ExtendedKeyUsageExtension
extId)

Returns an Extension object given any X509Certificate and extension oid.

public X500Principal

Returns:

the required issuer distinguished name as X500Principal (or null)
getIssuer()

Returns the issuer criterion as an X500Principal.

public byte[]

Returns:

a byte array containing the required issuer distinguished name in ASN.1 DER format (or null)
getIssuerAsBytes()

Returns the issuer criterion as a byte array.

public String

Returns:

the required issuer distinguished name in RFC 2253 format (or null)
getIssuerAsString()
Deprecated since 16. Use getIssuer() or getIssuerAsBytes() instead.

Returns the issuer criterion as a String.

public boolean[]

Returns:

a boolean array in the same format as the boolean array returned by X509Certificate.getKeyUsage(). Or null.
getKeyUsage()

Returns the keyUsage criterion.

public boolean

Returns:

true if the flag is enabled; false if the flag is disabled. The flag is true by default.
getMatchAllSubjectAltNames()

Indicates if the X509Certificate must contain all or at least one of the subjectAlternativeNames specified in the setSubjectAlternativeNames or addSubjectAlternativeName methods.

public byte[]

Returns:

a byte array containing the ASN.1 DER encoding of a NameConstraints extension used for checking name constraints. null if no name constraints check will be performed.
getNameConstraints()

Returns the name constraints criterion.

public Collection<List<?>>

Returns:

a Collection of names (or null)
getPathToNames()

Returns a copy of the pathToNames criterion.

public Set<String>

Returns:

an immutable Set of certificate policy OIDs in string format (or null)
getPolicy()

Returns the policy criterion.

public Date

Returns:

the Date to check (or null)
getPrivateKeyValid()

Returns the privateKeyValid criterion.

public BigInteger

Returns:

the certificate serial number to match (or null)
getSerialNumber()

Returns the serialNumber criterion.

public X500Principal

Returns:

the required subject distinguished name as X500Principal (or null)
getSubject()

Returns the subject criterion as an X500Principal.

public Collection<List<?>>

Returns:

a Collection of names (or null)
getSubjectAlternativeNames()

Returns a copy of the subjectAlternativeNames criterion.

public byte[]

Returns:

a byte array containing the required subject distinguished name in ASN.1 DER format (or null)
getSubjectAsBytes()

Returns the subject criterion as a byte array.

public String

Returns:

the required subject distinguished name in RFC 2253 format (or null)
getSubjectAsString()
Deprecated since 16. Use getSubject() or getSubjectAsBytes() instead.

Returns the subject criterion as a String.

public byte[]

Returns:

the key identifier (or null)
getSubjectKeyIdentifier()

Returns the subjectKeyIdentifier criterion.

public PublicKey

Returns:

the subject public key to check for (or null)
getSubjectPublicKey()

Returns the subjectPublicKey criterion.

public String

Returns:

the object identifier (OID) of the signature algorithm to check for (or null). An OID is represented by a set of nonnegative integers separated by periods.
getSubjectPublicKeyAlgID()

Returns the subjectPublicKeyAlgID criterion.

private static String
keyUsageToString(boolean[] k)

Returns a printable representation of the KeyUsage.

pack-priv static GeneralNameInterface

Returns:

a GeneralNameInterface name
makeGeneralNameInterface(int
name type (0-8)
type, Object
name as ASN.1 Der-encoded byte array or String
name)

Make a GeneralNameInterface out of a name type (0-8) and an Object that may be a byte array holding the ASN.1 DER encoded name or a String form of the name.

public boolean

Returns:

true if the Certificate should be selected, false otherwise
match(Certificate
the Certificate to be checked
cert)

Implements java.security.cert.CertSelector.match.

Decides whether a Certificate should be selected.

private boolean
matchAuthorityKeyID(X509Certificate xcert)

private boolean
matchBasicConstraints(X509Certificate xcert)

private boolean
matchExcluded(GeneralSubtrees excluded)

private boolean
matchExtendedKeyUsage(X509Certificate xcert)

private boolean
matchKeyUsage(X509Certificate xcert)

private boolean
matchNameConstraints(X509Certificate xcert)

private boolean
matchPathToNames(X509Certificate xcert)

private boolean
matchPermitted(GeneralSubtrees permitted)

private boolean
matchPolicy(X509Certificate xcert)

private boolean
matchPrivateKeyValid(X509Certificate xcert)

private boolean
matchSubjectAlternativeNames(X509Certificate xcert)

private boolean
matchSubjectKeyID(X509Certificate xcert)

private boolean
matchSubjectPublicKeyAlgID(X509Certificate xcert)

private static Set<GeneralNameInterface>

Returns:

a Set of GeneralNameInterfaces
parseNames(Collection<List<?>>
a Collection with one entry per name. Each entry is a List whose first entry is an Integer (the name type, 0-8) and whose second entry is a String or a byte array (the name, in string or ASN.1 DER encoded form, respectively). There can be multiple names of the same type. Null is not an acceptable value.
names)

Parse an argument of the form passed to setSubjectAlternativeNames, returning a Collection of GeneralNameInterfaces.

public void
setAuthorityKeyIdentifier(byte[]
the authority key identifier (or null)
authorityKeyID)

Sets the authorityKeyIdentifier criterion.

public void
setBasicConstraints(int
the value for the basic constraints constraint
minMaxPathLen)

Sets the basic constraints constraint.

public void
setCertificate(X509Certificate
the X509Certificate to match (or null)
cert)

Sets the certificateEquals criterion.

public void
setCertificateValid(Date
the Date to check (or null)
certValid)

Sets the certificateValid criterion.

public void
setExtendedKeyUsage(Set<String>
a Set of key purpose OIDs in string format (or null). Each OID is represented by a set of nonnegative integers separated by periods.
keyPurposeSet)

Sets the extendedKeyUsage criterion.

public void
setIssuer(X500Principal
a distinguished name as X500Principal (or null)
issuer)

Sets the issuer criterion.

public void
setIssuer(String
a distinguished name in RFC 2253 format (or null)
issuerDN)
Deprecated since 16. Use setIssuer(X500Principal) or setIssuer(byte[]) instead.

Sets the issuer criterion.

public void
setIssuer(byte[]
a byte array containing the distinguished name in ASN.1 DER encoded form (or null)
issuerDN)

Sets the issuer criterion.

public void
setKeyUsage(boolean[]
a boolean array in the same format as the boolean array returned by X509Certificate.getKeyUsage(). Or null.
keyUsage)

Sets the keyUsage criterion.

public void
setMatchAllSubjectAltNames(boolean
if true, the flag is enabled; if false, the flag is disabled.
matchAllNames)

Enables/disables matching all of the subjectAlternativeNames specified in the setSubjectAlternativeNames or addSubjectAlternativeName methods.

public void
setNameConstraints(byte[]
a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Can be null, in which case no name constraints check will be performed.
bytes)

Sets the name constraints criterion.

public void
setPathToNames(Collection<List<?>>
a Collection with one entry per name (or null)
names)

Sets the pathToNames criterion.

public void
setPolicy(Set<String>
a Set of certificate policy OIDs in string format (or null). Each OID is represented by a set of nonnegative integers separated by periods.
certPolicySet)

Sets the policy constraint.

public void
setPrivateKeyValid(Date
the Date to check (or null)
privateKeyValid)

Sets the privateKeyValid criterion.

public void
setSerialNumber(BigInteger
the certificate serial number to match (or null)
serial)

Sets the serialNumber criterion.

public void
setSubject(X500Principal
a distinguished name as X500Principal (or null)
subject)

Sets the subject criterion.

public void
setSubject(String
a distinguished name in RFC 2253 format (or null)
subjectDN)
Deprecated since 16. Use setSubject(X500Principal) or setSubject(byte[]) instead.

Sets the subject criterion.

public void
setSubject(byte[]
a byte array containing the distinguished name in ASN.1 DER format (or null)
subjectDN)

Sets the subject criterion.

public void
setSubjectAlternativeNames(Collection<List<?>>
a Collection of names (or null)
names)

Sets the subjectAlternativeNames criterion.

public void
setSubjectKeyIdentifier(byte[]
the subject key identifier (or null)
subjectKeyID)

Sets the subjectKeyIdentifier criterion.

public void
setSubjectPublicKey(PublicKey
the subject public key to check for (or null)
key)

Sets the subjectPublicKey criterion.

public void
setSubjectPublicKey(byte[]
a byte array containing the subject public key in ASN.1 DER form (or null)
key)

Sets the subjectPublicKey criterion.

public void
setSubjectPublicKeyAlgID(String
The object identifier (OID) of the algorithm to check for (or null). An OID is represented by a set of nonnegative integers separated by periods.
oid)

Sets the subjectPublicKeyAlgID criterion.

public String

Returns:

a String describing the contents of the CertSelector
toString()

Overrides java.lang.Object.toString.

Return a printable representation of the CertSelector.

Inherited from java.lang.Object:
equalsfinalizegetClasshashCodenotifynotifyAllwaitwaitwait