public class

X509CertSelector

extends Object
implements CertSelector
java.lang.Object
   ↳ java.security.cert.X509CertSelector

Class Overview

A certificate selector (CertSelector for selecting X509Certificates that match the specified criteria.

Summary

Public Constructors
X509CertSelector()
Creates a new X509CertSelector.
Public Methods
void addPathToName(int type, byte[] name)
Adds a "pathToName" to the respective criterion.
void addPathToName(int type, String name)
Adds a "pathToName" to the respective criterion.
void addSubjectAlternativeName(int tag, byte[] name)
Adds a subject alternative name to the respective criterion.
void addSubjectAlternativeName(int tag, String name)
Adds a subject alternative name to the respective criterion.
Object clone()
Clones this X509CertSelector instance.
byte[] getAuthorityKeyIdentifier()
Returns the criterion for the AuthorityKeyIdentifier extension.
int getBasicConstraints()
Returns the criterion for the basic constraints extension.
X509Certificate getCertificate()
Returns the certificate that a matching certificate must be equal to.
Date getCertificateValid()
Returns the criterion for the validity date of the certificate.
Set<String> getExtendedKeyUsage()
Returns the criterion for the ExtendedKeyUsage extension.
X500Principal getIssuer()
Returns the issuer that a certificate must match.
byte[] getIssuerAsBytes()
Returns the issuer that a certificate must match.
String getIssuerAsString()
Do not use, use getIssuer() or getIssuerAsBytes() instead.
boolean[] getKeyUsage()
Returns the criterion for the KeyUsage extension.
boolean getMatchAllSubjectAltNames()
Returns the flag for the matching behavior for subject alternative names.
byte[] getNameConstraints()
Returns the criterion for the name constraints.
Collection<List<?>> getPathToNames()
Returns the criterion for the pathToNames constraint.
Set<String> getPolicy()
Returns the criterion for the policy constraint.
Date getPrivateKeyValid()
Returns the criterion for the validity date of the private key.
BigInteger getSerialNumber()
Returns the serial number that a certificate must match.
X500Principal getSubject()
Returns the subject that a certificate must match.
Collection<List<?>> getSubjectAlternativeNames()
Returns the criterion for subject alternative names.
byte[] getSubjectAsBytes()
Returns the subject that a certificate must match.
String getSubjectAsString()
Do not use, use getSubject() or getSubjectAsBytes() instead.
byte[] getSubjectKeyIdentifier()
Returns the criterion for the SubjectKeyIdentifier extension.
PublicKey getSubjectPublicKey()
Returns the criterion for the subject public key.
String getSubjectPublicKeyAlgID()
Returns the criterion for the subject public key signature algorithm.
boolean match(Certificate certificate)
Returns whether the specified certificate matches all the criteria collected in this instance.
void setAuthorityKeyIdentifier(byte[] authorityKeyIdentifier)
Sets the criterion for the AuthorityKeyIdentifier extension.
void setBasicConstraints(int pathLen)
Sets the criterion for the basic constraints extension.
void setCertificate(X509Certificate certificate)
Sets the certificate that a matching certificate must be equal to.
void setCertificateValid(Date certificateValid)
Sets the criterion for the validity date of the certificate.
void setExtendedKeyUsage(Set<String> keyUsage)
Sets the criterion for the ExtendedKeyUsage extension.
void setIssuer(byte[] issuerDN)
Sets the issuer that a certificate must match.
void setIssuer(String issuerName)
Do not use, use getIssuer() or getIssuerAsBytes() instead.
void setIssuer(X500Principal issuer)
Sets the issuer that a certificate must match.
void setKeyUsage(boolean[] keyUsage)
Sets the criterion for the KeyUsage extension.
void setMatchAllSubjectAltNames(boolean matchAllNames)
Sets the flag for the matching behavior for subject alternative names.
void setNameConstraints(byte[] bytes)
Sets the criterion for the name constraints.
void setPathToNames(Collection<List<?>> names)
Sets the criterion for the pathToNames constraint.
void setPolicy(Set<String> policies)
Sets the criterion for the policy constraint.
void setPrivateKeyValid(Date privateKeyValid)
Sets the criterion for the validity date of the private key.
void setSerialNumber(BigInteger serialNumber)
Sets the serial number that a certificate must match.
void setSubject(X500Principal subject)
Set the subject that a certificate must match.
void setSubject(String subjectDN)
Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead.
void setSubject(byte[] subjectDN)
Sets the subject that a certificate must match.
void setSubjectAlternativeNames(Collection<List<?>> names)
Sets the criterion for subject alternative names.
void setSubjectKeyIdentifier(byte[] subjectKeyIdentifier)
Sets the criterion for the SubjectKeyIdentifier extension.
void setSubjectPublicKey(byte[] key)
Sets the criterion for the subject public key.
void setSubjectPublicKey(PublicKey key)
Sets the criterion for the subject public key.
void setSubjectPublicKeyAlgID(String oid)
Sets the criterion for the subject public key signature algorithm.
String toString()
Returns a string representation of this X509CertSelector instance.
[Expand]
Inherited Methods
From class java.lang.Object
From interface java.security.cert.CertSelector

Public Constructors

public X509CertSelector ()

Creates a new X509CertSelector.

Public Methods

public void addPathToName (int type, byte[] name)

Adds a "pathToName" to the respective criterion.

Parameters
type the type of the name
name the name in ASN.1 DER encoded form.
Throws
IOException if decoding fails.

public void addPathToName (int type, String name)

Adds a "pathToName" to the respective criterion.

Parameters
type the type of the name.
name the name in string format.
Throws
IOException if parsing fails.

public void addSubjectAlternativeName (int tag, byte[] name)

Adds a subject alternative name to the respective criterion.

Parameters
tag the type of the name.
name the name in ASN.1 DER encoded form.
Throws
IOException if the decoding of the name fails.

public void addSubjectAlternativeName (int tag, String name)

Adds a subject alternative name to the respective criterion.

Parameters
tag the type of the name
name the name in string format.
Throws
IOException if parsing the name fails.

public Object clone ()

Clones this X509CertSelector instance.

Returns
  • the cloned instance.

public byte[] getAuthorityKeyIdentifier ()

Returns the criterion for the AuthorityKeyIdentifier extension.

Returns
  • the authority key identifier, or null if it is not to be checked.

public int getBasicConstraints ()

Returns the criterion for the basic constraints extension.

A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

Returns
  • the value of the criterion.

public X509Certificate getCertificate ()

Returns the certificate that a matching certificate must be equal to.

Returns
  • the certificate to match, or null if this criteria is not checked.

public Date getCertificateValid ()

Returns the criterion for the validity date of the certificate.

Returns
  • the validity date or null if the date is not to be checked.

public Set<String> getExtendedKeyUsage ()

Returns the criterion for the ExtendedKeyUsage extension.

Returns
  • the set of key usage OIDs, or null if it's not to be checked.

public X500Principal getIssuer ()

Returns the issuer that a certificate must match.

Returns
  • the issuer that a certificate must match, or null if the issuer is not to be checked.

public byte[] getIssuerAsBytes ()

Returns the issuer that a certificate must match.

Returns
  • the distinguished issuer name in ASN.1 DER encoded format, or null if the issuer is not to be checked.
Throws
IOException if encoding the issuer fails.

public String getIssuerAsString ()

Do not use, use getIssuer() or getIssuerAsBytes() instead. Returns the issuer that a certificate must match in a RFC 2253 format string.

Returns
  • the issuer in a RFC 2253 format string, or null if the issuer is not to be checked.

public boolean[] getKeyUsage ()

Returns the criterion for the KeyUsage extension.

Returns
  • the boolean array in the format as returned by getKeyUsage(), or null if the key usage is not to be checked.

public boolean getMatchAllSubjectAltNames ()

Returns the flag for the matching behavior for subject alternative names.

The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(Collection>) or addSubjectAlternativeName(int, byte[]) .

Returns
  • true if a certificate must contain all of the specified subject alternative names, otherwise false.

public byte[] getNameConstraints ()

Returns the criterion for the name constraints.

Returns
  • the name constraints or null if none specified.

public Collection<List<?>> getPathToNames ()

Returns the criterion for the pathToNames constraint.

The constraint is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is a byte array specifying the name in ASN.1 DER encoded form.

Returns
  • the pathToNames constraint or null if none specified.

public Set<String> getPolicy ()

Returns the criterion for the policy constraint.

The certificate must have at least one of the certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

Returns
  • the certificate policy OIDs, an empty set, or null if not to be checked.

public Date getPrivateKeyValid ()

Returns the criterion for the validity date of the private key.

The private key must be valid at the specified date.

Returns
  • the validity date or null if the date is not to be checked.

public BigInteger getSerialNumber ()

Returns the serial number that a certificate must match.

Returns
  • the serial number to match, or null if the serial number is not to be checked.

public X500Principal getSubject ()

Returns the subject that a certificate must match.

Returns
  • the subject distinguished name, or null if the subject is not to be checked.

public Collection<List<?>> getSubjectAlternativeNames ()

Returns the criterion for subject alternative names.

the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

The subject alternative names is a collection with an entry for each name included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is byte array specifying the name in ASN.1 DER encoded form)

Returns
  • the names collection or null if none specified.

public byte[] getSubjectAsBytes ()

Returns the subject that a certificate must match.

Returns
  • the subject distinguished name in ASN.1 DER format, or null if the subject is not to be checked.
Throws
IOException if encoding the subject fails.

public String getSubjectAsString ()

Do not use, use getSubject() or getSubjectAsBytes() instead. Returns the subject that a certificate must match.

Returns
  • the subject distinguished name in RFC 2253 format, or null if the subject is not to be checked.

public byte[] getSubjectKeyIdentifier ()

Returns the criterion for the SubjectKeyIdentifier extension.

Returns
  • the subject key identifier or null if it is not to be checked.

public PublicKey getSubjectPublicKey ()

Returns the criterion for the subject public key.

Returns
  • the subject public key or null if the key is not to be checked.

public String getSubjectPublicKeyAlgID ()

Returns the criterion for the subject public key signature algorithm.

Returns
  • the OID (object identifier) or the signature algorithm or null if it's not to be checked.

public boolean match (Certificate certificate)

Returns whether the specified certificate matches all the criteria collected in this instance.

Parameters
certificate the certificate to check.
Returns
  • true if the certificate matches all the criteria, otherwise false.

public void setAuthorityKeyIdentifier (byte[] authorityKeyIdentifier)

Sets the criterion for the AuthorityKeyIdentifier extension.

Parameters
authorityKeyIdentifier the authority key identifier, or null to disable this check.

public void setBasicConstraints (int pathLen)

Sets the criterion for the basic constraints extension.

A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

Parameters
pathLen the value specifying the criterion.
Throws
IllegalArgumentException if pathLen is less than -2.

public void setCertificate (X509Certificate certificate)

Sets the certificate that a matching certificate must be equal to.

Parameters
certificate the certificate to match, or null to not check this criteria.

public void setCertificateValid (Date certificateValid)

Sets the criterion for the validity date of the certificate.

The certificate must be valid at the specified date.

Parameters
certificateValid the validity date or null to not check the date.

public void setExtendedKeyUsage (Set<String> keyUsage)

Sets the criterion for the ExtendedKeyUsage extension.

Parameters
keyUsage the set of key usage OIDs, or null to not check it.
Throws
IOException if one of the OIDs is invalid.

public void setIssuer (byte[] issuerDN)

Sets the issuer that a certificate must match.

Parameters
issuerDN the distinguished issuer name in ASN.1 DER encoded format, or null to not check the issuer.
Throws
IOException if decoding the issuer fail.

public void setIssuer (String issuerName)

Do not use, use getIssuer() or getIssuerAsBytes() instead. Sets the issuer that a certificate must match.

Parameters
issuerName the issuer in a RFC 2253 format string, or null to not check the issuer.
Throws
IOException if parsing the issuer fails.

public void setIssuer (X500Principal issuer)

Sets the issuer that a certificate must match.

Parameters
issuer the issuer to match, or null if the issuer is not to be checked.

public void setKeyUsage (boolean[] keyUsage)

Sets the criterion for the KeyUsage extension.

Parameters
keyUsage the boolean array in the format as returned by getKeyUsage(), or null to not check the key usage.

public void setMatchAllSubjectAltNames (boolean matchAllNames)

Sets the flag for the matching behavior for subject alternative names.

The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(Collection>) or addSubjectAlternativeName(int, byte[]) .

Parameters
matchAllNames true if a certificate must contain all of the specified subject alternative names, otherwise false.

public void setNameConstraints (byte[] bytes)

Sets the criterion for the name constraints.

The certificate must constraint subject and subject alternative names that match the specified name constraints.

The name constraints in ASN.1:

 NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
 GeneralSubtree ::= SEQUENCE {
        base                    GeneralName,
        minimum         [0]     BaseDistance DEFAULT 0,
        maximum         [1]     BaseDistance OPTIONAL }
 
 BaseDistance ::= INTEGER (0..MAX)
 
 GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER}
 
 

Parameters
bytes the name constraints in ASN.1 DER encoded format, or null to not check any constraints.
Throws
IOException if decoding the name constraints fail.

public void setPathToNames (Collection<List<?>> names)

Sets the criterion for the pathToNames constraint.

This allows to specify the complete set of names, a certificate's name constraints must permit.

The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

Parameters
names the names collection or null to not perform this check.
Throws
IOException if decoding fails.

public void setPolicy (Set<String> policies)

Sets the criterion for the policy constraint.

The certificate must have at least one of the specified certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

Parameters
policies the certificate policy OIDs, an empty set, or null to not perform this check.
Throws
IOException if parsing the specified OIDs fails.

public void setPrivateKeyValid (Date privateKeyValid)

Sets the criterion for the validity date of the private key.

The private key must be valid at the specified date.

Parameters
privateKeyValid the validity date or null to not check the date.

public void setSerialNumber (BigInteger serialNumber)

Sets the serial number that a certificate must match.

Parameters
serialNumber the serial number to match, or null to not check the serial number.

public void setSubject (X500Principal subject)

Set the subject that a certificate must match.

Parameters
subject the subject distinguished name or null to not check the subject.

public void setSubject (String subjectDN)

Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead. Returns the subject that a certificate must match.

Parameters
subjectDN the subject distinguished name in RFC 2253 format or null to not check the subject.
Throws
IOException if decoding the subject fails.

public void setSubject (byte[] subjectDN)

Sets the subject that a certificate must match.

Parameters
subjectDN the subject distinguished name in ASN.1 DER format, or null to not check the subject.
Throws
IOException if decoding the subject fails.

public void setSubjectAlternativeNames (Collection<List<?>> names)

Sets the criterion for subject alternative names.

the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

Parameters
names the names collection or null to not perform this check.
Throws
IOException if the decoding of a name fails.

public void setSubjectKeyIdentifier (byte[] subjectKeyIdentifier)

Sets the criterion for the SubjectKeyIdentifier extension.

The subjectKeyIdentifier should be a single DER encoded value.

Parameters
subjectKeyIdentifier the subject key identifier or null to disable this check.

public void setSubjectPublicKey (byte[] key)

Sets the criterion for the subject public key.

Parameters
key the subject public key in ASN.1 DER encoded format or null to not check the key.
Throws
IOException if decoding the the public key fails.

public void setSubjectPublicKey (PublicKey key)

Sets the criterion for the subject public key.

Parameters
key the subject public key or null to not check the key.

public void setSubjectPublicKeyAlgID (String oid)

Sets the criterion for the subject public key signature algorithm.

The certificate must contain a subject public key with the algorithm specified.

Parameters
oid the OID (object identifier) of the signature algorithm or null to not check the OID.
Throws
IOException if the specified object identifier is invalid.

public String toString ()

Returns a string representation of this X509CertSelector instance.

Returns
  • a string representation of this X509CertSelector instance.