View Javadoc
1   /*
2    * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.  Oracle designates this
8    * particular file as subject to the "Classpath" exception as provided
9    * by Oracle in the LICENSE file that accompanied this code.
10   *
11   * This code is distributed in the hope that it will be useful, but WITHOUT
12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14   * version 2 for more details (a copy is included in the LICENSE file that
15   * accompanied this code).
16   *
17   * You should have received a copy of the GNU General Public License version
18   * 2 along with this work; if not, write to the Free Software Foundation,
19   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20   *
21   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22   * or visit www.oracle.com if you need additional information or have any
23   * questions.
24   */
25  
26  package java.security.cert;
27  
28  import java.math.BigInteger;
29  import java.security.*;
30  import java.util.Collection;
31  import java.util.Date;
32  import java.util.List;
33  import javax.security.auth.x500.X500Principal;
34  
35  import sun.security.x509.X509CertImpl;
36  
37  /**
38   * <p>
39   * Abstract class for X.509 certificates. This provides a standard
40   * way to access all the attributes of an X.509 certificate.
41   * <p>
42   * In June of 1996, the basic X.509 v3 format was completed by
43   * ISO/IEC and ANSI X9, which is described below in ASN.1:
44   * <pre>
45   * Certificate  ::=  SEQUENCE  {
46   *     tbsCertificate       TBSCertificate,
47   *     signatureAlgorithm   AlgorithmIdentifier,
48   *     signature            BIT STRING  }
49   * </pre>
50   * <p>
51   * These certificates are widely used to support authentication and
52   * other functionality in Internet security systems. Common applications
53   * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
54   * code signing for trusted software distribution, and Secure Electronic
55   * Transactions (SET).
56   * <p>
57   * These certificates are managed and vouched for by <em>Certificate
58   * Authorities</em> (CAs). CAs are services which create certificates by
59   * placing data in the X.509 standard format and then digitally signing
60   * that data. CAs act as trusted third parties, making introductions
61   * between principals who have no direct knowledge of each other.
62   * CA certificates are either signed by themselves, or by some other
63   * CA such as a "root" CA.
64   * <p>
65   * More information can be found in
66   * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
67   * Public Key Infrastructure Certificate and CRL Profile</a>.
68   * <p>
69   * The ASN.1 definition of {@code tbsCertificate} is:
70   * <pre>
71   * TBSCertificate  ::=  SEQUENCE  {
72   *     version         [0]  EXPLICIT Version DEFAULT v1,
73   *     serialNumber         CertificateSerialNumber,
74   *     signature            AlgorithmIdentifier,
75   *     issuer               Name,
76   *     validity             Validity,
77   *     subject              Name,
78   *     subjectPublicKeyInfo SubjectPublicKeyInfo,
79   *     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
80   *                          -- If present, version must be v2 or v3
81   *     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
82   *                          -- If present, version must be v2 or v3
83   *     extensions      [3]  EXPLICIT Extensions OPTIONAL
84   *                          -- If present, version must be v3
85   *     }
86   * </pre>
87   * <p>
88   * Certificates are instantiated using a certificate factory. The following is
89   * an example of how to instantiate an X.509 certificate:
90   * <pre>
91   * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
92   *     CertificateFactory cf = CertificateFactory.getInstance("X.509");
93   *     X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
94   * }
95   * </pre>
96   *
97   * @author Hemma Prafullchandra
98   *
99   *
100  * @see Certificate
101  * @see CertificateFactory
102  * @see X509Extension
103  */
104 
105 public abstract class X509Certificate extends Certificate
106 implements X509Extension {
107 
108     private static final long serialVersionUID = -2491127588187038216L;
109 
110     private transient X500Principal subjectX500Principal, issuerX500Principal;
111 
112     /**
113      * Constructor for X.509 certificates.
114      */
115     protected X509Certificate() {
116         super("X.509");
117     }
118 
119     /**
120      * Checks that the certificate is currently valid. It is if
121      * the current date and time are within the validity period given in the
122      * certificate.
123      * <p>
124      * The validity period consists of two date/time values:
125      * the first and last dates (and times) on which the certificate
126      * is valid. It is defined in
127      * ASN.1 as:
128      * <pre>
129      * validity             Validity
130      *
131      * Validity ::= SEQUENCE {
132      *     notBefore      CertificateValidityDate,
133      *     notAfter       CertificateValidityDate }
134      *
135      * CertificateValidityDate ::= CHOICE {
136      *     utcTime        UTCTime,
137      *     generalTime    GeneralizedTime }
138      * </pre>
139      *
140      * @exception CertificateExpiredException if the certificate has expired.
141      * @exception CertificateNotYetValidException if the certificate is not
142      * yet valid.
143      */
144     public abstract void checkValidity()
145         throws CertificateExpiredException, CertificateNotYetValidException;
146 
147     /**
148      * Checks that the given date is within the certificate's
149      * validity period. In other words, this determines whether the
150      * certificate would be valid at the given date/time.
151      *
152      * @param date the Date to check against to see if this certificate
153      *        is valid at that date/time.
154      *
155      * @exception CertificateExpiredException if the certificate has expired
156      * with respect to the {@code date} supplied.
157      * @exception CertificateNotYetValidException if the certificate is not
158      * yet valid with respect to the {@code date} supplied.
159      *
160      * @see #checkValidity()
161      */
162     public abstract void checkValidity(Date date)
163         throws CertificateExpiredException, CertificateNotYetValidException;
164 
165     /**
166      * Gets the {@code version} (version number) value from the
167      * certificate.
168      * The ASN.1 definition for this is:
169      * <pre>
170      * version  [0] EXPLICIT Version DEFAULT v1
171      *
172      * Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
173      * </pre>
174      * @return the version number, i.e. 1, 2 or 3.
175      */
176     public abstract int getVersion();
177 
178     /**
179      * Gets the {@code serialNumber} value from the certificate.
180      * The serial number is an integer assigned by the certification
181      * authority to each certificate. It must be unique for each
182      * certificate issued by a given CA (i.e., the issuer name and
183      * serial number identify a unique certificate).
184      * The ASN.1 definition for this is:
185      * <pre>
186      * serialNumber     CertificateSerialNumber
187      *
188      * CertificateSerialNumber  ::=  INTEGER
189      * </pre>
190      *
191      * @return the serial number.
192      */
193     public abstract BigInteger getSerialNumber();
194 
195     /**
196      * <strong>Denigrated</strong>, replaced by {@linkplain
197      * #getIssuerX500Principal()}. This method returns the {@code issuer}
198      * as an implementation specific Principal object, which should not be
199      * relied upon by portable code.
200      *
201      * <p>
202      * Gets the {@code issuer} (issuer distinguished name) value from
203      * the certificate. The issuer name identifies the entity that signed (and
204      * issued) the certificate.
205      *
206      * <p>The issuer name field contains an
207      * X.500 distinguished name (DN).
208      * The ASN.1 definition for this is:
209      * <pre>
210      * issuer    Name
211      *
212      * Name ::= CHOICE { RDNSequence }
213      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
214      * RelativeDistinguishedName ::=
215      *     SET OF AttributeValueAssertion
216      *
217      * AttributeValueAssertion ::= SEQUENCE {
218      *                               AttributeType,
219      *                               AttributeValue }
220      * AttributeType ::= OBJECT IDENTIFIER
221      * AttributeValue ::= ANY
222      * </pre>
223      * The {@code Name} describes a hierarchical name composed of
224      * attributes,
225      * such as country name, and corresponding values, such as US.
226      * The type of the {@code AttributeValue} component is determined by
227      * the {@code AttributeType}; in general it will be a
228      * {@code directoryString}. A {@code directoryString} is usually
229      * one of {@code PrintableString},
230      * {@code TeletexString} or {@code UniversalString}.
231      *
232      * @return a Principal whose name is the issuer distinguished name.
233      */
234     public abstract Principal getIssuerDN();
235 
236     /**
237      * Returns the issuer (issuer distinguished name) value from the
238      * certificate as an {@code X500Principal}.
239      * <p>
240      * It is recommended that subclasses override this method.
241      *
242      * @return an {@code X500Principal} representing the issuer
243      *          distinguished name
244      * @since 1.4
245      */
246     public X500Principal getIssuerX500Principal() {
247         if (issuerX500Principal == null) {
248             issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
249         }
250         return issuerX500Principal;
251     }
252 
253     /**
254      * <strong>Denigrated</strong>, replaced by {@linkplain
255      * #getSubjectX500Principal()}. This method returns the {@code subject}
256      * as an implementation specific Principal object, which should not be
257      * relied upon by portable code.
258      *
259      * <p>
260      * Gets the {@code subject} (subject distinguished name) value
261      * from the certificate.  If the {@code subject} value is empty,
262      * then the {@code getName()} method of the returned
263      * {@code Principal} object returns an empty string ("").
264      *
265      * <p> The ASN.1 definition for this is:
266      * <pre>
267      * subject    Name
268      * </pre>
269      *
270      * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
271      * and other relevant definitions.
272      *
273      * @return a Principal whose name is the subject name.
274      */
275     public abstract Principal getSubjectDN();
276 
277     /**
278      * Returns the subject (subject distinguished name) value from the
279      * certificate as an {@code X500Principal}.  If the subject value
280      * is empty, then the {@code getName()} method of the returned
281      * {@code X500Principal} object returns an empty string ("").
282      * <p>
283      * It is recommended that subclasses override this method.
284      *
285      * @return an {@code X500Principal} representing the subject
286      *          distinguished name
287      * @since 1.4
288      */
289     public X500Principal getSubjectX500Principal() {
290         if (subjectX500Principal == null) {
291             subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
292         }
293         return subjectX500Principal;
294     }
295 
296     /**
297      * Gets the {@code notBefore} date from the validity period of
298      * the certificate.
299      * The relevant ASN.1 definitions are:
300      * <pre>
301      * validity             Validity
302      *
303      * Validity ::= SEQUENCE {
304      *     notBefore      CertificateValidityDate,
305      *     notAfter       CertificateValidityDate }
306      *
307      * CertificateValidityDate ::= CHOICE {
308      *     utcTime        UTCTime,
309      *     generalTime    GeneralizedTime }
310      * </pre>
311      *
312      * @return the start date of the validity period.
313      * @see #checkValidity
314      */
315     public abstract Date getNotBefore();
316 
317     /**
318      * Gets the {@code notAfter} date from the validity period of
319      * the certificate. See {@link #getNotBefore() getNotBefore}
320      * for relevant ASN.1 definitions.
321      *
322      * @return the end date of the validity period.
323      * @see #checkValidity
324      */
325     public abstract Date getNotAfter();
326 
327     /**
328      * Gets the DER-encoded certificate information, the
329      * {@code tbsCertificate} from this certificate.
330      * This can be used to verify the signature independently.
331      *
332      * @return the DER-encoded certificate information.
333      * @exception CertificateEncodingException if an encoding error occurs.
334      */
335     public abstract byte[] getTBSCertificate()
336         throws CertificateEncodingException;
337 
338     /**
339      * Gets the {@code signature} value (the raw signature bits) from
340      * the certificate.
341      * The ASN.1 definition for this is:
342      * <pre>
343      * signature     BIT STRING
344      * </pre>
345      *
346      * @return the signature.
347      */
348     public abstract byte[] getSignature();
349 
350     /**
351      * Gets the signature algorithm name for the certificate
352      * signature algorithm. An example is the string "SHA256withRSA".
353      * The ASN.1 definition for this is:
354      * <pre>
355      * signatureAlgorithm   AlgorithmIdentifier
356      *
357      * AlgorithmIdentifier  ::=  SEQUENCE  {
358      *     algorithm               OBJECT IDENTIFIER,
359      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }
360      *                             -- contains a value of the type
361      *                             -- registered for use with the
362      *                             -- algorithm object identifier value
363      * </pre>
364      *
365      * <p>The algorithm name is determined from the {@code algorithm}
366      * OID string.
367      *
368      * @return the signature algorithm name.
369      */
370     public abstract String getSigAlgName();
371 
372     /**
373      * Gets the signature algorithm OID string from the certificate.
374      * An OID is represented by a set of nonnegative whole numbers separated
375      * by periods.
376      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
377      * with DSA signature algorithm defined in
378      * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
379      * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
380      * and CRL Profile</a>.
381      *
382      * <p>See {@link #getSigAlgName() getSigAlgName} for
383      * relevant ASN.1 definitions.
384      *
385      * @return the signature algorithm OID string.
386      */
387     public abstract String getSigAlgOID();
388 
389     /**
390      * Gets the DER-encoded signature algorithm parameters from this
391      * certificate's signature algorithm. In most cases, the signature
392      * algorithm parameters are null; the parameters are usually
393      * supplied with the certificate's public key.
394      * If access to individual parameter values is needed then use
395      * {@link java.security.AlgorithmParameters AlgorithmParameters}
396      * and instantiate with the name returned by
397      * {@link #getSigAlgName() getSigAlgName}.
398      *
399      * <p>See {@link #getSigAlgName() getSigAlgName} for
400      * relevant ASN.1 definitions.
401      *
402      * @return the DER-encoded signature algorithm parameters, or
403      *         null if no parameters are present.
404      */
405     public abstract byte[] getSigAlgParams();
406 
407     /**
408      * Gets the {@code issuerUniqueID} value from the certificate.
409      * The issuer unique identifier is present in the certificate
410      * to handle the possibility of reuse of issuer names over time.
411      * RFC 3280 recommends that names not be reused and that
412      * conforming certificates not make use of unique identifiers.
413      * Applications conforming to that profile should be capable of
414      * parsing unique identifiers and making comparisons.
415      *
416      * <p>The ASN.1 definition for this is:
417      * <pre>
418      * issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL
419      *
420      * UniqueIdentifier  ::=  BIT STRING
421      * </pre>
422      *
423      * @return the issuer unique identifier or null if it is not
424      * present in the certificate.
425      */
426     public abstract boolean[] getIssuerUniqueID();
427 
428     /**
429      * Gets the {@code subjectUniqueID} value from the certificate.
430      *
431      * <p>The ASN.1 definition for this is:
432      * <pre>
433      * subjectUniqueID  [2]  IMPLICIT UniqueIdentifier OPTIONAL
434      *
435      * UniqueIdentifier  ::=  BIT STRING
436      * </pre>
437      *
438      * @return the subject unique identifier or null if it is not
439      * present in the certificate.
440      */
441     public abstract boolean[] getSubjectUniqueID();
442 
443     /**
444      * Gets a boolean array representing bits of
445      * the {@code KeyUsage} extension, (OID = 2.5.29.15).
446      * The key usage extension defines the purpose (e.g., encipherment,
447      * signature, certificate signing) of the key contained in the
448      * certificate.
449      * The ASN.1 definition for this is:
450      * <pre>
451      * KeyUsage ::= BIT STRING {
452      *     digitalSignature        (0),
453      *     nonRepudiation          (1),
454      *     keyEncipherment         (2),
455      *     dataEncipherment        (3),
456      *     keyAgreement            (4),
457      *     keyCertSign             (5),
458      *     cRLSign                 (6),
459      *     encipherOnly            (7),
460      *     decipherOnly            (8) }
461      * </pre>
462      * RFC 3280 recommends that when used, this be marked
463      * as a critical extension.
464      *
465      * @return the KeyUsage extension of this certificate, represented as
466      * an array of booleans. The order of KeyUsage values in the array is
467      * the same as in the above ASN.1 definition. The array will contain a
468      * value for each KeyUsage defined above. If the KeyUsage list encoded
469      * in the certificate is longer than the above list, it will not be
470      * truncated. Returns null if this certificate does not
471      * contain a KeyUsage extension.
472      */
473     public abstract boolean[] getKeyUsage();
474 
475     /**
476      * Gets an unmodifiable list of Strings representing the OBJECT
477      * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
478      * extended key usage extension, (OID = 2.5.29.37).  It indicates
479      * one or more purposes for which the certified public key may be
480      * used, in addition to or in place of the basic purposes
481      * indicated in the key usage extension field.  The ASN.1
482      * definition for this is:
483      * <pre>
484      * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
485      *
486      * KeyPurposeId ::= OBJECT IDENTIFIER
487      * </pre>
488      *
489      * Key purposes may be defined by any organization with a
490      * need. Object identifiers used to identify key purposes shall be
491      * assigned in accordance with IANA or ITU-T Rec. X.660 |
492      * ISO/IEC/ITU 9834-1.
493      * <p>
494      * This method was added to version 1.4 of the Java 2 Platform Standard
495      * Edition. In order to maintain backwards compatibility with existing
496      * service providers, this method is not {@code abstract}
497      * and it provides a default implementation. Subclasses
498      * should override this method with a correct implementation.
499      *
500      * @return the ExtendedKeyUsage extension of this certificate,
501      *         as an unmodifiable list of object identifiers represented
502      *         as Strings. Returns null if this certificate does not
503      *         contain an ExtendedKeyUsage extension.
504      * @throws CertificateParsingException if the extension cannot be decoded
505      * @since 1.4
506      */
507     public List<String> getExtendedKeyUsage() throws CertificateParsingException {
508         return X509CertImpl.getExtendedKeyUsage(this);
509     }
510 
511     /**
512      * Gets the certificate constraints path length from the
513      * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
514      * <p>
515      * The basic constraints extension identifies whether the subject
516      * of the certificate is a Certificate Authority (CA) and
517      * how deep a certification path may exist through that CA. The
518      * {@code pathLenConstraint} field (see below) is meaningful
519      * only if {@code cA} is set to TRUE. In this case, it gives the
520      * maximum number of CA certificates that may follow this certificate in a
521      * certification path. A value of zero indicates that only an end-entity
522      * certificate may follow in the path.
523      * <p>
524      * The ASN.1 definition for this is:
525      * <pre>
526      * BasicConstraints ::= SEQUENCE {
527      *     cA                  BOOLEAN DEFAULT FALSE,
528      *     pathLenConstraint   INTEGER (0..MAX) OPTIONAL }
529      * </pre>
530      *
531      * @return the value of {@code pathLenConstraint} if the
532      * BasicConstraints extension is present in the certificate and the
533      * subject of the certificate is a CA, otherwise -1.
534      * If the subject of the certificate is a CA and
535      * {@code pathLenConstraint} does not appear,
536      * {@code Integer.MAX_VALUE} is returned to indicate that there is no
537      * limit to the allowed length of the certification path.
538      */
539     public abstract int getBasicConstraints();
540 
541     /**
542      * Gets an immutable collection of subject alternative names from the
543      * {@code SubjectAltName} extension, (OID = 2.5.29.17).
544      * <p>
545      * The ASN.1 definition of the {@code SubjectAltName} extension is:
546      * <pre>
547      * SubjectAltName ::= GeneralNames
548      *
549      * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
550      *
551      * GeneralName ::= CHOICE {
552      *      otherName                       [0]     OtherName,
553      *      rfc822Name                      [1]     IA5String,
554      *      dNSName                         [2]     IA5String,
555      *      x400Address                     [3]     ORAddress,
556      *      directoryName                   [4]     Name,
557      *      ediPartyName                    [5]     EDIPartyName,
558      *      uniformResourceIdentifier       [6]     IA5String,
559      *      iPAddress                       [7]     OCTET STRING,
560      *      registeredID                    [8]     OBJECT IDENTIFIER}
561      * </pre>
562      * <p>
563      * If this certificate does not contain a {@code SubjectAltName}
564      * extension, {@code null} is returned. Otherwise, a
565      * {@code Collection} is returned with an entry representing each
566      * {@code GeneralName} included in the extension. Each entry is a
567      * {@code List} whose first entry is an {@code Integer}
568      * (the name type, 0-8) and whose second entry is a {@code String}
569      * or a byte array (the name, in string or ASN.1 DER encoded form,
570      * respectively).
571      * <p>
572      * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
573      * names are returned as {@code String}s,
574      * using the well-established string formats for those types (subject to
575      * the restrictions included in RFC 3280). IPv4 address names are
576      * returned using dotted quad notation. IPv6 address names are returned
577      * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
578      * representing the eight 16-bit pieces of the address. OID names are
579      * returned as {@code String}s represented as a series of nonnegative
580      * integers separated by periods. And directory names (distinguished names)
581      * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
582      * RFC 2253</a> string format. No standard string format is
583      * defined for otherNames, X.400 names, EDI party names, or any
584      * other type of names. They are returned as byte arrays
585      * containing the ASN.1 DER encoded form of the name.
586      * <p>
587      * Note that the {@code Collection} returned may contain more
588      * than one name of the same type. Also, note that the returned
589      * {@code Collection} is immutable and any entries containing byte
590      * arrays are cloned to protect against subsequent modifications.
591      * <p>
592      * This method was added to version 1.4 of the Java 2 Platform Standard
593      * Edition. In order to maintain backwards compatibility with existing
594      * service providers, this method is not {@code abstract}
595      * and it provides a default implementation. Subclasses
596      * should override this method with a correct implementation.
597      *
598      * @return an immutable {@code Collection} of subject alternative
599      * names (or {@code null})
600      * @throws CertificateParsingException if the extension cannot be decoded
601      * @since 1.4
602      */
603     public Collection<List<?>> getSubjectAlternativeNames()
604         throws CertificateParsingException {
605         return X509CertImpl.getSubjectAlternativeNames(this);
606     }
607 
608     /**
609      * Gets an immutable collection of issuer alternative names from the
610      * {@code IssuerAltName} extension, (OID = 2.5.29.18).
611      * <p>
612      * The ASN.1 definition of the {@code IssuerAltName} extension is:
613      * <pre>
614      * IssuerAltName ::= GeneralNames
615      * </pre>
616      * The ASN.1 definition of {@code GeneralNames} is defined
617      * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
618      * <p>
619      * If this certificate does not contain an {@code IssuerAltName}
620      * extension, {@code null} is returned. Otherwise, a
621      * {@code Collection} is returned with an entry representing each
622      * {@code GeneralName} included in the extension. Each entry is a
623      * {@code List} whose first entry is an {@code Integer}
624      * (the name type, 0-8) and whose second entry is a {@code String}
625      * or a byte array (the name, in string or ASN.1 DER encoded form,
626      * respectively). For more details about the formats used for each
627      * name type, see the {@code getSubjectAlternativeNames} method.
628      * <p>
629      * Note that the {@code Collection} returned may contain more
630      * than one name of the same type. Also, note that the returned
631      * {@code Collection} is immutable and any entries containing byte
632      * arrays are cloned to protect against subsequent modifications.
633      * <p>
634      * This method was added to version 1.4 of the Java 2 Platform Standard
635      * Edition. In order to maintain backwards compatibility with existing
636      * service providers, this method is not {@code abstract}
637      * and it provides a default implementation. Subclasses
638      * should override this method with a correct implementation.
639      *
640      * @return an immutable {@code Collection} of issuer alternative
641      * names (or {@code null})
642      * @throws CertificateParsingException if the extension cannot be decoded
643      * @since 1.4
644      */
645     public Collection<List<?>> getIssuerAlternativeNames()
646         throws CertificateParsingException {
647         return X509CertImpl.getIssuerAlternativeNames(this);
648     }
649 
650      /**
651      * Verifies that this certificate was signed using the
652      * private key that corresponds to the specified public key.
653      * This method uses the signature verification engine
654      * supplied by the specified provider. Note that the specified
655      * Provider object does not have to be registered in the provider list.
656      *
657      * This method was added to version 1.8 of the Java Platform Standard
658      * Edition. In order to maintain backwards compatibility with existing
659      * service providers, this method is not {@code abstract}
660      * and it provides a default implementation.
661      *
662      * @param key the PublicKey used to carry out the verification.
663      * @param sigProvider the signature provider.
664      *
665      * @exception NoSuchAlgorithmException on unsupported signature
666      * algorithms.
667      * @exception InvalidKeyException on incorrect key.
668      * @exception SignatureException on signature errors.
669      * @exception CertificateException on encoding errors.
670      * @exception UnsupportedOperationException if the method is not supported
671      * @since 1.8
672      */
673     public void verify(PublicKey key, Provider sigProvider)
674         throws CertificateException, NoSuchAlgorithmException,
675         InvalidKeyException, SignatureException {
676         X509CertImpl.verify(this, key, sigProvider);
677     }
678 }