Interface CtsSecurity::X509Certificate

Interface for X.509 v3 certificates. This provides a standard way to access all the attributes of an X.509 v3 certificate. This interface is modeled based on JDK v1.2 core API - java.security.cert.X509Certificate and java.security.cert.X509Extension

A good decription of X509 Certificate is provided in the IETF PKIX Working Group draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.

Operation Index

checkCurrentValidity
checkValidity
equals
getBasicConstraints
getCertInfo
getCriticalExtensionOIDs
getEncoded
getExtensionValue
getIssuerDN
getIssuerUniqueID
getKeyUsage
getMD5Digest
getModulus
getNonCriticalExtensionOIDs
getNotAfter
getNotBefore
getPublicExponent
getSerialNumber
getSHA1Digest
getSigAlgName
getSigAlgOID
getSigAlgParams
getSignature
getSubjectDN
getSubjectUniqueID
getTBSCertificate
getVersion
hashCode
hasUnsupportedCriticalExtension
setCertificate
setCertificateData
toString
verify
verify__usingSignerDer

Operations

checkCurrentValidity

Checks that the certificate is currently valid. It is if the current date and time are within the validity period given in the certificate.

    void checkCurrentValidity
    (
    )
    raises (CtsSecurity::CertificateExpiredException, CtsSecurity::CertificateNotYetValidException);

The validity period consists of two date/time values: the first and last dates (and times) on which the certificate is valid. It is defined in ASN.1 as:

validity Validity

Validity ::= SEQUENCE { notBefore CertificateValidityDate, notAfter CertificateValidityDate }

CertificateValidityDate ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime }

checkValidity
Checks that the specified date is within the certificate's validity period. In other words, this determines whether the certificate would be valid at the specified date/time.
```
    void checkValidity
    (
        in MJD::Date date
    )
    raises (CtsSecurity::CertificateExpiredException, CtsSecurity::CertificateNotYetValidException);
```

equals

Compares this certificate for equality with the specified certificate object.

    boolean equals
    (
        in CtsSecurity::X509Certificate other
    );

getBasicConstraints
Gets the certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19).
```
    long getBasicConstraints
    (
    );
```
The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA) and how deep a certification path may exist through that CA. The pathLenConstraint field (see below) is meaningful only if cA is set to TRUE. In this case, it gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that only an end-entity certificate may follow in the path.
Note that for the PKIX profile this extension is always marked critical if cA is TRUE, meaning this certificate belongs to a Certificate Authority.
The ASN.1 definition for this is:
```
 BasicConstraints ::= SEQUENCE {
     cA                  BOOLEAN DEFAULT FALSE,
     pathLenConstraint   INTEGER (0..MAX) OPTIONAL }
 
```
Returns the length of the constraint if the BasicConstraints extension is present in the certificate and the cA value is TRUE. Otherwise returns -1.
getCertInfo
Returns all the information about the certificate in an easy-to-use format.
```
    CtsSecurity::CertInfo getCertInfo
    (
    );
```
getCriticalExtensionOIDs
Gets a sequence of the OID strings for the extension(s) marked CRITICAL in the certificate. If there are no critical extensions, this method returns an empty sequence. If there are no extensions present at all, then this method returns NoExtensionException.
```
    CtsSecurity::StringSeq getCriticalExtensionOIDs
    (
    )
    raises (CtsSecurity::NoExtensionException);
```

getEncoded

Returns the ASN.1 DER encoded form of this certificate.

    CtsSecurity::OctetSeq getEncoded
    (
    )
    raises (CtsSecurity::CertificateEncodingException);

getExtensionValue

Gets the DER-encoded OCTET string for the extension value (extnValue) identified by the passed-in oid String. The oid string is represented by a set of positive whole numbers separated by periods.

    CtsSecurity::OctetSeq getExtensionValue
    (
        in string oid
    )
    raises (CtsSecurity::NoSuchExtensionException);

For example:

OID Extension Name

2.5.29.14 SubjectKeyIdentifier

2.5.29.15 KeyUsage

2.5.29.16 PrivateKeyUsage

2.5.29.17 SubjectAlternativeName

2.5.29.18 IssuerAlternativeName

2.5.29.19 BasicConstraints

2.5.29.30 NameConstraints

2.5.29.33 PolicyMappings

2.5.29.36 PolicyConstraints

2.5.29.35 AuthorityKeyIdentifier

getIssuerDN
Gets the issuer (issuer distinguished name) value from the certificate. The issuer name identifies the entity that signed (and issued) the certificate.
```
    string getIssuerDN
    (
    );
```
The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:
```
 issuer    Name
 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion
 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 
```
The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the AttributeValue component is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
getIssuerUniqueID
Gets the issuerUniqueID value from the certificate. The issuer unique identifier is present in the certificate to handle the possibility of reuse of issuer names over time. The PKIX Part I recommends that names not be reused and that conforming certificates not make use of unique identifiers. Applications conforming to that profile should be capable of parsing unique identifiers and making comparisons.
```
    CtsSecurity::OctetSeq getIssuerUniqueID
    (
    );
```
The ASN.1 definition for this is:
```
 issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL
 UniqueIdentifier  ::=  BIT STRING
 
```

OID	Extension Name
2.5.29.14	SubjectKeyIdentifier
2.5.29.15	KeyUsage
2.5.29.16	PrivateKeyUsage
2.5.29.17	SubjectAlternativeName
2.5.29.18	IssuerAlternativeName
2.5.29.19	BasicConstraints
2.5.29.30	NameConstraints
2.5.29.33	PolicyMappings
2.5.29.36	PolicyConstraints
2.5.29.35	AuthorityKeyIdentifier

getKeyUsage

Gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15). The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The ASN.1 definition for this is:

 KeyUsage ::= BIT STRING {
     digitalSignature        (0),
     nonRepudiation          (1),
     keyEncipherment         (2),
     dataEncipherment        (3),
     keyAgreement            (4),
     keyCertSign             (5),
     cRLSign                 (6),
     encipherOnly            (7),
     decipherOnly            (8) }

The PKIX part I draft recommends that when used, this be marked as a critical extension.

    CtsSecurity::BooleanSeq getKeyUsage
    (
    );

getMD5Digest

Returns MD5 of the entire certificate.

    CtsSecurity::Digest getMD5Digest
    (
    );

getModulus

Returns RSA modulus of the public key.

    CtsSecurity::OctetSeq getModulus
    (
    );

getNonCriticalExtensionOIDs
Gets a sequence of the OID strings for the extension(s) marked NON-CRITICAL in the certificate. If there are no non-critical extensions, this method returns an empty sequence. If there are no extensions present at all, then this method returns NoExtensionException.
```
    CtsSecurity::StringSeq getNonCriticalExtensionOIDs
    (
    )
    raises (CtsSecurity::NoExtensionException);
```
getNotAfter
Gets the notAfter date from the validity period of the certificate.
```
    MJD::Date getNotAfter
    (
    );
```

getNotBefore

Gets the notBefore date from the validity period of the certificate. The relevant ASN.1 definitions are:

 validity             Validity
    MJD::Date getNotBefore
    (
    );


 
 Validity ::= SEQUENCE {
     notBefore      CertificateValidityDate,
     notAfter       CertificateValidityDate }

 CertificateValidityDate ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime }

getPublicExponent

Returns RSA Public Exponent of the public key.

    CtsSecurity::OctetSeq getPublicExponent
    (
    );

getSerialNumber
Gets the serialNumber value from the certificate. The serial number is a large integer assigned by the certification authority to each certificate. It must be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). The ASN.1 definition for this is:
```
 serialNumber     CertificateSerialNumber
    CtsSecurity::OctetSeq getSerialNumber
    (
    );


 
 CertificateSerialNumber  ::=  INTEGER
 
```
getSHA1Digest
Returns SHA1 Digest of the entire certificate.
```
    CtsSecurity::Digest getSHA1Digest
    (
    );
```

getSigAlgName

Gets the signature algorithm name for the certificate signature algorithm. An example is the string "SHA-1/DSA". The ASN.1 definition for this is:

signatureAlgorithm AlgorithmIdentifier

    string getSigAlgName
    (
    );

AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier value

The algorithm name is determined from the algorithm OID string.

getSigAlgOID
Gets the signature algorithm OID string from the certificate. An OID is represented by a set of positive whole numbers separated by periods. For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.
```
    string getSigAlgOID
    (
    );
```
getSigAlgParams
Gets the DER-encoded signature algorithm parameters from this certificate's signature algorithm. In most cases, the signature algorithm parameters are null; the parameters are usually supplied with the certificate's public key.
```
    CtsSecurity::OctetSeq getSigAlgParams
    (
    );
```
getSignature
Gets the signature value (the raw signature bits) from the certificate. The ASN.1 definition for this is:
```
 signature     BIT STRING  
 
```
```
    CtsSecurity::OctetSeq getSignature
    (
    );
```
getSubjectDN
Gets the subject (subject distinguished name) value from the certificate. The ASN.1 definition for this is:
```
 subject    Name
 
```
```
    string getSubjectDN
    (
    );
```

getSubjectUniqueID

Gets the subjectUniqueID value from the certificate.

    CtsSecurity::OctetSeq getSubjectUniqueID
    (
    );

The ASN.1 definition for this is:

 subjectUniqueID  [2]  IMPLICIT UniqueIdentifier OPTIONAL
 UniqueIdentifier  ::=  BIT STRING

getTBSCertificate
Gets the DER-encoded certificate information, the tbsCertificate from this certificate. This can be used to verify the signature independently.
```
    CtsSecurity::OctetSeq getTBSCertificate
    (
    )
    raises (CtsSecurity::CertificateEncodingException);
```

getVersion

Gets the version (version number) value from the certificate. The ASN.1 definition for this is:

 version         [0]  EXPLICIT Version DEFAULT v1
    long getVersion
    (
    );


 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

hashCode
Returns a hashcode value for this certificate from its encoded form.
```
    long hashCode
    (
    );
```
hasUnsupportedCriticalExtension
Returns true if a critical extension is found that is unsupported, otherwise returns false.
```
    boolean hasUnsupportedCriticalExtension
    (
    );
```

setCertificate

Initializes an X509Certificate object with the specified Certificate instance.

    void setCertificate
    (
        in CtsSecurity::X509Certificate certObject
    )
    raises (CtsSecurity::CertificateParsingException, CtsSecurity::CertificateEncodingException);

setCertificateData

Initializes an X509Certificate object with the specified Certificate BER data.

    void setCertificateData
    (
        in CtsSecurity::Cert certData
    )
    raises (CtsSecurity::CertificateParsingException, CtsSecurity::CertificateEncodingException);

toString
/** Returns a string representation of this certificate.
```
    string toString
    (
    );
```

verify

Verifies that this certificate was signed using the private key that corresponds to the specified public key certificate.

    void verify
    (
        in CtsSecurity::X509Certificate signer
    )
    raises (CtsSecurity::CertificateExpiredException, CtsSecurity::CertificateNotYetValidException, CtsSecurity::CertificateEncodingException, CtsSecurity::NoSuchAlgorithmException, CtsSecurity::InvalidKeyException, CtsSecurity::SignatureException);

verify__usingSignerDer

Verifies that this certificate was signed using the private key that corresponds to the specified public key certificate.

    void verify__usingSignerDer
    (
        in CtsSecurity::OctetSeq signer
    )
    raises (CtsSecurity::CertificateExpiredException, CtsSecurity::CertificateNotYetValidException, CtsSecurity::CertificateEncodingException, CtsSecurity::NoSuchAlgorithmException, CtsSecurity::InvalidKeyException, CtsSecurity::SignatureException);

Generated by Sybase EAServer 5.0