Skip to content

Most visited

Recently visited

navigation
Added in API level 1

X509CertSelector

public class X509CertSelector
extends Object implements CertSelector

java.lang.Object
   ↳ java.security.cert.X509CertSelector


A certificate selector (CertSelector for selecting X509Certificates that match the specified criteria.

Summary

Public constructors

X509CertSelector()

Creates a new X509CertSelector.

Public methods

void addPathToName(int type, byte[] name)

Adds a "pathToName" to the respective criterion.

void addPathToName(int type, String name)

Adds a "pathToName" to the respective criterion.

void addSubjectAlternativeName(int tag, String name)

Adds a subject alternative name to the respective criterion.

void addSubjectAlternativeName(int tag, byte[] name)

Adds a subject alternative name to the respective criterion.

Object clone()

Clones this X509CertSelector instance.

byte[] getAuthorityKeyIdentifier()

Returns the criterion for the AuthorityKeyIdentifier extension.

int getBasicConstraints()

Returns the criterion for the basic constraints extension.

X509Certificate getCertificate()

Returns the certificate that a matching certificate must be equal to.

Date getCertificateValid()

Returns the criterion for the validity date of the certificate.

Set<String> getExtendedKeyUsage()

Returns the criterion for the ExtendedKeyUsage extension.

X500Principal getIssuer()

Returns the issuer that a certificate must match.

byte[] getIssuerAsBytes()

Returns the issuer that a certificate must match.

String getIssuerAsString()

Do not use, use getIssuer() or getIssuerAsBytes() instead.

boolean[] getKeyUsage()

Returns the criterion for the KeyUsage extension.

boolean getMatchAllSubjectAltNames()

Returns the flag for the matching behavior for subject alternative names.

byte[] getNameConstraints()

Returns the criterion for the name constraints.

Collection<List<?>> getPathToNames()

Returns the criterion for the pathToNames constraint.

Set<String> getPolicy()

Returns the criterion for the policy constraint.

Date getPrivateKeyValid()

Returns the criterion for the validity date of the private key.

BigInteger getSerialNumber()

Returns the serial number that a certificate must match.

X500Principal getSubject()

Returns the subject that a certificate must match.

Collection<List<?>> getSubjectAlternativeNames()

Returns the criterion for subject alternative names.

byte[] getSubjectAsBytes()

Returns the subject that a certificate must match.

String getSubjectAsString()

Do not use, use getSubject() or getSubjectAsBytes() instead.

byte[] getSubjectKeyIdentifier()

Returns the criterion for the SubjectKeyIdentifier extension.

PublicKey getSubjectPublicKey()

Returns the criterion for the subject public key.

String getSubjectPublicKeyAlgID()

Returns the criterion for the subject public key signature algorithm.

boolean match(Certificate certificate)

Returns whether the specified certificate matches all the criteria collected in this instance.

void setAuthorityKeyIdentifier(byte[] authorityKeyIdentifier)

Sets the criterion for the AuthorityKeyIdentifier extension.

void setBasicConstraints(int pathLen)

Sets the criterion for the basic constraints extension.

void setCertificate(X509Certificate certificate)

Sets the certificate that a matching certificate must be equal to.

void setCertificateValid(Date certificateValid)

Sets the criterion for the validity date of the certificate.

void setExtendedKeyUsage(Set<String> keyUsage)

Sets the criterion for the ExtendedKeyUsage extension.

void setIssuer(String issuerName)

Do not use, use getIssuer() or getIssuerAsBytes() instead.

void setIssuer(X500Principal issuer)

Sets the issuer that a certificate must match.

void setIssuer(byte[] issuerDN)

Sets the issuer that a certificate must match.

void setKeyUsage(boolean[] keyUsage)

Sets the criterion for the KeyUsage extension.

void setMatchAllSubjectAltNames(boolean matchAllNames)

Sets the flag for the matching behavior for subject alternative names.

void setNameConstraints(byte[] bytes)

Sets the criterion for the name constraints.

void setPathToNames(Collection<List<?>> names)

Sets the criterion for the pathToNames constraint.

void setPolicy(Set<String> policies)

Sets the criterion for the policy constraint.

void setPrivateKeyValid(Date privateKeyValid)

Sets the criterion for the validity date of the private key.

void setSerialNumber(BigInteger serialNumber)

Sets the serial number that a certificate must match.

void setSubject(X500Principal subject)

Set the subject that a certificate must match.

void setSubject(String subjectDN)

Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead.

void setSubject(byte[] subjectDN)

Sets the subject that a certificate must match.

void setSubjectAlternativeNames(Collection<List<?>> names)

Sets the criterion for subject alternative names.

void setSubjectKeyIdentifier(byte[] subjectKeyIdentifier)

Sets the criterion for the SubjectKeyIdentifier extension.

void setSubjectPublicKey(byte[] key)

Sets the criterion for the subject public key.

void setSubjectPublicKey(PublicKey key)

Sets the criterion for the subject public key.

void setSubjectPublicKeyAlgID(String oid)

Sets the criterion for the subject public key signature algorithm.

String toString()

Returns a string representation of this X509CertSelector instance.

Inherited methods

From class java.lang.Object
From interface java.security.cert.CertSelector

Public constructors

X509CertSelector

Added in API level 1
X509CertSelector ()

Creates a new X509CertSelector.

Public methods

addPathToName

Added in API level 1
void addPathToName (int type, 
                byte[] name)

Adds a "pathToName" to the respective criterion.

Parameters
type int: the type of the name
name byte: the name in ASN.1 DER encoded form.
Throws
IOException if decoding fails.

See also:

addPathToName

Added in API level 1
void addPathToName (int type, 
                String name)

Adds a "pathToName" to the respective criterion.

Parameters
type int: the type of the name.
name String: the name in string format.
Throws
IOException if parsing fails.

See also:

addSubjectAlternativeName

Added in API level 1
void addSubjectAlternativeName (int tag, 
                String name)

Adds a subject alternative name to the respective criterion.

Parameters
tag int: the type of the name
name String: the name in string format.
Throws
IOException if parsing the name fails.

addSubjectAlternativeName

Added in API level 1
void addSubjectAlternativeName (int tag, 
                byte[] name)

Adds a subject alternative name to the respective criterion.

Parameters
tag int: the type of the name.
name byte: the name in ASN.1 DER encoded form.
Throws
IOException if the decoding of the name fails.

clone

Added in API level 1
Object clone ()

Clones this X509CertSelector instance.

Returns
Object the cloned instance.

getAuthorityKeyIdentifier

Added in API level 1
byte[] getAuthorityKeyIdentifier ()

Returns the criterion for the AuthorityKeyIdentifier extension.

Returns
byte[] the authority key identifier, or null if it is not to be checked.

getBasicConstraints

Added in API level 1
int getBasicConstraints ()

Returns the criterion for the basic constraints extension.

A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

Returns
int the value of the criterion.

getCertificate

Added in API level 1
X509Certificate getCertificate ()

Returns the certificate that a matching certificate must be equal to.

Returns
X509Certificate the certificate to match, or null if this criteria is not checked.

getCertificateValid

Added in API level 1
Date getCertificateValid ()

Returns the criterion for the validity date of the certificate.

Returns
Date the validity date or null if the date is not to be checked.

getExtendedKeyUsage

Added in API level 1
Set<String> getExtendedKeyUsage ()

Returns the criterion for the ExtendedKeyUsage extension.

Returns
Set<String> the set of key usage OIDs, or null if it's not to be checked.

getIssuer

Added in API level 1
X500Principal getIssuer ()

Returns the issuer that a certificate must match.

Returns
X500Principal the issuer that a certificate must match, or null if the issuer is not to be checked.

getIssuerAsBytes

Added in API level 1
byte[] getIssuerAsBytes ()

Returns the issuer that a certificate must match.

Returns
byte[] the distinguished issuer name in ASN.1 DER encoded format, or null if the issuer is not to be checked.
Throws
IOException if encoding the issuer fails.

getIssuerAsString

Added in API level 1
String getIssuerAsString ()

Do not use, use getIssuer() or getIssuerAsBytes() instead. Returns the issuer that a certificate must match in a RFC 2253 format string.

Returns
String the issuer in a RFC 2253 format string, or null if the issuer is not to be checked.

getKeyUsage

Added in API level 1
boolean[] getKeyUsage ()

Returns the criterion for the KeyUsage extension.

Returns
boolean[] the boolean array in the format as returned by getKeyUsage(), or null if the key usage is not to be checked.

getMatchAllSubjectAltNames

Added in API level 1
boolean getMatchAllSubjectAltNames ()

Returns the flag for the matching behavior for subject alternative names.

The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(Collection>) or addSubjectAlternativeName(int, byte[]).

Returns
boolean true if a certificate must contain all of the specified subject alternative names, otherwise false.

getNameConstraints

Added in API level 1
byte[] getNameConstraints ()

Returns the criterion for the name constraints.

Returns
byte[] the name constraints or null if none specified.

See also:

getPathToNames

Added in API level 1
Collection<List<?>> getPathToNames ()

Returns the criterion for the pathToNames constraint.

The constraint is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is a byte array specifying the name in ASN.1 DER encoded form.

Returns
Collection<List<?>> the pathToNames constraint or null if none specified.

getPolicy

Added in API level 1
Set<String> getPolicy ()

Returns the criterion for the policy constraint.

The certificate must have at least one of the certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

Returns
Set<String> the certificate policy OIDs, an empty set, or null if not to be checked.

getPrivateKeyValid

Added in API level 1
Date getPrivateKeyValid ()

Returns the criterion for the validity date of the private key.

The private key must be valid at the specified date.

Returns
Date the validity date or null if the date is not to be checked.

getSerialNumber

Added in API level 1
BigInteger getSerialNumber ()

Returns the serial number that a certificate must match.

Returns
BigInteger the serial number to match, or null if the serial number is not to be checked.

getSubject

Added in API level 1
X500Principal getSubject ()

Returns the subject that a certificate must match.

Returns
X500Principal the subject distinguished name, or null if the subject is not to be checked.

getSubjectAlternativeNames

Added in API level 1
Collection<List<?>> getSubjectAlternativeNames ()

Returns the criterion for subject alternative names.

the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

The subject alternative names is a collection with an entry for each name included in the criterion. The name is specified as a List, the first entry is an Integer specifying the name type (0-8), the second entry is byte array specifying the name in ASN.1 DER encoded form)

Returns
Collection<List<?>> the names collection or null if none specified.

getSubjectAsBytes

Added in API level 1
byte[] getSubjectAsBytes ()

Returns the subject that a certificate must match.

Returns
byte[] the subject distinguished name in ASN.1 DER format, or null if the subject is not to be checked.
Throws
IOException if encoding the subject fails.

getSubjectAsString

Added in API level 1
String getSubjectAsString ()

Do not use, use getSubject() or getSubjectAsBytes() instead. Returns the subject that a certificate must match.

Returns
String the subject distinguished name in RFC 2253 format, or null if the subject is not to be checked.

getSubjectKeyIdentifier

Added in API level 1
byte[] getSubjectKeyIdentifier ()

Returns the criterion for the SubjectKeyIdentifier extension.

Returns
byte[] the subject key identifier or null if it is not to be checked.

getSubjectPublicKey

Added in API level 1
PublicKey getSubjectPublicKey ()

Returns the criterion for the subject public key.

Returns
PublicKey the subject public key or null if the key is not to be checked.

getSubjectPublicKeyAlgID

Added in API level 1
String getSubjectPublicKeyAlgID ()

Returns the criterion for the subject public key signature algorithm.

Returns
String the OID (object identifier) or the signature algorithm or null if it's not to be checked.

match

Added in API level 1
boolean match (Certificate certificate)

Returns whether the specified certificate matches all the criteria collected in this instance.

Parameters
certificate Certificate: the certificate to check.
Returns
boolean true if the certificate matches all the criteria, otherwise false.

setAuthorityKeyIdentifier

Added in API level 1
void setAuthorityKeyIdentifier (byte[] authorityKeyIdentifier)

Sets the criterion for the AuthorityKeyIdentifier extension.

Parameters
authorityKeyIdentifier byte: the authority key identifier, or null to disable this check.

setBasicConstraints

Added in API level 1
void setBasicConstraints (int pathLen)

Sets the criterion for the basic constraints extension.

A value greater than or equal to zero indicates that a certificate must include a basic constraints extension with a path length of a least that value. A value of -2 indicates that only end-entity certificates are accepted. A value of -1 indicates that no check is done.

Parameters
pathLen int: the value specifying the criterion.
Throws
IllegalArgumentException if pathLen is less than -2.

setCertificate

Added in API level 1
void setCertificate (X509Certificate certificate)

Sets the certificate that a matching certificate must be equal to.

Parameters
certificate X509Certificate: the certificate to match, or null to not check this criteria.

setCertificateValid

Added in API level 1
void setCertificateValid (Date certificateValid)

Sets the criterion for the validity date of the certificate.

The certificate must be valid at the specified date.

Parameters
certificateValid Date: the validity date or null to not check the date.

setExtendedKeyUsage

Added in API level 1
void setExtendedKeyUsage (Set<String> keyUsage)

Sets the criterion for the ExtendedKeyUsage extension.

Parameters
keyUsage Set: the set of key usage OIDs, or null to not check it.
Throws
IOException if one of the OIDs is invalid.

setIssuer

Added in API level 1
void setIssuer (String issuerName)

Do not use, use getIssuer() or getIssuerAsBytes() instead. Sets the issuer that a certificate must match.

Parameters
issuerName String: the issuer in a RFC 2253 format string, or null to not check the issuer.
Throws
IOException if parsing the issuer fails.

setIssuer

Added in API level 1
void setIssuer (X500Principal issuer)

Sets the issuer that a certificate must match.

Parameters
issuer X500Principal: the issuer to match, or null if the issuer is not to be checked.

setIssuer

Added in API level 1
void setIssuer (byte[] issuerDN)

Sets the issuer that a certificate must match.

Parameters
issuerDN byte: the distinguished issuer name in ASN.1 DER encoded format, or null to not check the issuer.
Throws
IOException if decoding the issuer fail.

setKeyUsage

Added in API level 1
void setKeyUsage (boolean[] keyUsage)

Sets the criterion for the KeyUsage extension.

Parameters
keyUsage boolean: the boolean array in the format as returned by getKeyUsage(), or null to not check the key usage.

setMatchAllSubjectAltNames

Added in API level 1
void setMatchAllSubjectAltNames (boolean matchAllNames)

Sets the flag for the matching behavior for subject alternative names.

The flag indicates whether a certificate must contain all or at least one of the subject alternative names specified by setSubjectAlternativeNames(Collection>) or addSubjectAlternativeName(int, byte[]).

Parameters
matchAllNames boolean: true if a certificate must contain all of the specified subject alternative names, otherwise false.

setNameConstraints

Added in API level 1
void setNameConstraints (byte[] bytes)

Sets the criterion for the name constraints.

The certificate must constraint subject and subject alternative names that match the specified name constraints.

The name constraints in ASN.1:

 NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

 GeneralSubtree ::= SEQUENCE {
        base                    GeneralName,
        minimum         [0]     BaseDistance DEFAULT 0,
        maximum         [1]     BaseDistance OPTIONAL }

 BaseDistance ::= INTEGER (0..MAX)

 GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER}

 

Parameters
bytes byte: the name constraints in ASN.1 DER encoded format, or null to not check any constraints.
Throws
IOException if decoding the name constraints fail.

setPathToNames

Added in API level 1
void setPathToNames (Collection<List<?>> names)

Sets the criterion for the pathToNames constraint.

This allows to specify the complete set of names, a certificate's name constraints must permit.

The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

Parameters
names Collection: the names collection or null to not perform this check.
Throws
IOException if decoding fails.

setPolicy

Added in API level 1
void setPolicy (Set<String> policies)

Sets the criterion for the policy constraint.

The certificate must have at least one of the specified certificate policy extensions. For an empty set the certificate must have at least some policies in its policy extension.

Parameters
policies Set: the certificate policy OIDs, an empty set, or null to not perform this check.
Throws
IOException if parsing the specified OIDs fails.

setPrivateKeyValid

Added in API level 1
void setPrivateKeyValid (Date privateKeyValid)

Sets the criterion for the validity date of the private key.

The private key must be valid at the specified date.

Parameters
privateKeyValid Date: the validity date or null to not check the date.

setSerialNumber

Added in API level 1
void setSerialNumber (BigInteger serialNumber)

Sets the serial number that a certificate must match.

Parameters
serialNumber BigInteger: the serial number to match, or null to not check the serial number.

setSubject

Added in API level 1
void setSubject (X500Principal subject)

Set the subject that a certificate must match.

Parameters
subject X500Principal: the subject distinguished name or null to not check the subject.

setSubject

Added in API level 1
void setSubject (String subjectDN)

Do not use, use setSubject(byte[]) or setSubject(X500Principal) instead. Returns the subject that a certificate must match.

Parameters
subjectDN String: the subject distinguished name in RFC 2253 format or null to not check the subject.
Throws
IOException if decoding the subject fails.

setSubject

Added in API level 1
void setSubject (byte[] subjectDN)

Sets the subject that a certificate must match.

Parameters
subjectDN byte: the subject distinguished name in ASN.1 DER format, or null to not check the subject.
Throws
IOException if decoding the subject fails.

setSubjectAlternativeNames

Added in API level 1
void setSubjectAlternativeNames (Collection<List<?>> names)

Sets the criterion for subject alternative names.

the certificate must contain all or at least one of the specified subject alternative names. The behavior is specified by getMatchAllSubjectAltNames().

The specified parameter names is a collection with an entry for each name to be included in the criterion. The name is specified as a List, the first entry must be an Integer specifying the name type (0-8), the second entry must be a String or a byte array specifying the name (in string or ASN.1 DER encoded form)

Parameters
names Collection: the names collection or null to not perform this check.
Throws
IOException if the decoding of a name fails.

setSubjectKeyIdentifier

Added in API level 1
void setSubjectKeyIdentifier (byte[] subjectKeyIdentifier)

Sets the criterion for the SubjectKeyIdentifier extension.

The subjectKeyIdentifier should be a single DER encoded value.

Parameters
subjectKeyIdentifier byte: the subject key identifier or null to disable this check.

setSubjectPublicKey

Added in API level 1
void setSubjectPublicKey (byte[] key)

Sets the criterion for the subject public key.

Parameters
key byte: the subject public key in ASN.1 DER encoded format or null to not check the key.
Throws
IOException if decoding the the public key fails.

setSubjectPublicKey

Added in API level 1
void setSubjectPublicKey (PublicKey key)

Sets the criterion for the subject public key.

Parameters
key PublicKey: the subject public key or null to not check the key.

setSubjectPublicKeyAlgID

Added in API level 1
void setSubjectPublicKeyAlgID (String oid)

Sets the criterion for the subject public key signature algorithm.

The certificate must contain a subject public key with the algorithm specified.

Parameters
oid String: the OID (object identifier) of the signature algorithm or null to not check the OID.
Throws
IOException if the specified object identifier is invalid.

toString

Added in API level 1
String toString ()

Returns a string representation of this X509CertSelector instance.

Returns
String a string representation of this X509CertSelector instance.
This site uses cookies to store your preferences for site-specific language and display options.

Hooray!

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.