java.security.cert
Class X509CertSelector

java.lang.Object   
  java.security.cert.X509CertSelector

All Implemented Interfaces:

Cloneable , CertSelector

public class X509CertSelector
extends Object   
implements CertSelector   

A CertSelector that selects X509Certificates that match all specified criteria. This class is particularly useful when selecting certificates from a CertStore to build a PKIX-compliant certification path.

When first constructed, an X509CertSelector has no criteria enabled and each of the get methods return a default value (null, or -1 for the getBasicConstraints method). Therefore, the match method would return true for any X509Certificate. Typically, several criteria are enabled (by calling setIssuer or setKeyUsage , for instance) and then the X509CertSelector is passed to CertStore.getCertificates or some similar method.

Several criteria can be enabled (by calling setIssuer and setSerialNumber , for example) such that the match method usually uniquely matches a single X509Certificate. We say usually, since it is possible for two issuing CAs to have the same distinguished name and each issue a certificate with the same serial number. Other unique combinations include the issuer, subject, subjectKeyIdentifier and/or the subjectPublicKey criteria.

Please refer to RFC 2459 for definitions of the X.509 certificate extensions mentioned below.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Since:

1.4

See Also:

CertSelector , X509Certificate

Constructor Summary

X509CertSelector ()
Creates an X509CertSelector.

Method Summary

void	addPathToName (int type, byte[] name) Adds a name to the pathToNames criterion.
void	addPathToName (int type, String name) Adds a name to the pathToNames criterion.
void	addSubjectAlternativeName (int type, byte[] name) Adds a name to the subjectAlternativeNames criterion.
void	addSubjectAlternativeName (int type, String name) Adds a name to the subjectAlternativeNames criterion.
Object	clone () Returns a copy of this object.
byte[]	getAuthorityKeyIdentifier () Returns the authorityKeyIdentifier criterion.
int	getBasicConstraints () Returns the basic constraints constraint.
X509Certificate	getCertificate () Returns the certificateEquals criterion.
Date	getCertificateValid () Returns the certificateValid criterion.
Set <String >	getExtendedKeyUsage () Returns the extendedKeyUsage criterion.
X500Principal	getIssuer () Returns the issuer criterion as an X500Principal.
byte[]	getIssuerAsBytes () Returns the issuer criterion as a byte array.
String	getIssuerAsString () Denigrated, use getIssuer() or getIssuerAsBytes() instead.
boolean[]	getKeyUsage () Returns the keyUsage criterion.
boolean	getMatchAllSubjectAltNames () Indicates if the X509Certificate must contain all or at least one of the subjectAlternativeNames specified in the setSubjectAlternativeNames or addSubjectAlternativeName methods.
byte[]	getNameConstraints () Returns the name constraints criterion.
Collection <List <?>>	getPathToNames () Returns a copy of the pathToNames criterion.
Set <String >	getPolicy () Returns the policy criterion.
Date	getPrivateKeyValid () Returns the privateKeyValid criterion.
BigInteger	getSerialNumber () Returns the serialNumber criterion.
X500Principal	getSubject () Returns the subject criterion as an X500Principal.
Collection <List <?>>	getSubjectAlternativeNames () Returns a copy of the subjectAlternativeNames criterion.
byte[]	getSubjectAsBytes () Returns the subject criterion as a byte array.
String	getSubjectAsString () Denigrated, use getSubject() or getSubjectAsBytes() instead.
byte[]	getSubjectKeyIdentifier () Returns the subjectKeyIdentifier criterion.
PublicKey	getSubjectPublicKey () Returns the subjectPublicKey criterion.
String	getSubjectPublicKeyAlgID () Returns the subjectPublicKeyAlgID criterion.
boolean	match (Certificate cert) Decides whether a Certificate should be selected.
void	setAuthorityKeyIdentifier (byte[] authorityKeyID) Sets the authorityKeyIdentifier criterion.
void	setBasicConstraints (int minMaxPathLen) Sets the basic constraints constraint.
void	setCertificate (X509Certificate cert) Sets the certificateEquals criterion.
void	setCertificateValid (Date certValid) Sets the certificateValid criterion.
void	setExtendedKeyUsage (Set <String > keyPurposeSet) Sets the extendedKeyUsage criterion.
void	setIssuer (byte[] issuerDN) Sets the issuer criterion.
void	setIssuer (String issuerDN) Denigrated, use setIssuer(X500Principal) or setIssuer(byte[]) instead.
void	setIssuer (X500Principal issuer) Sets the issuer criterion.
void	setKeyUsage (boolean[] keyUsage) Sets the keyUsage criterion.
void	setMatchAllSubjectAltNames (boolean matchAllNames) Enables/disables matching all of the subjectAlternativeNames specified in the setSubjectAlternativeNames or addSubjectAlternativeName methods.
void	setNameConstraints (byte[] bytes) Sets the name constraints criterion.
void	setPathToNames (Collection <List <?>> names) Sets the pathToNames criterion.
void	setPolicy (Set <String > certPolicySet) Sets the policy constraint.
void	setPrivateKeyValid (Date privateKeyValid) Sets the privateKeyValid criterion.
void	setSerialNumber (BigInteger serial) Sets the serialNumber criterion.
void	setSubject (byte[] subjectDN) Sets the subject criterion.
void	setSubject (String subjectDN) Denigrated, use setSubject(X500Principal) or setSubject(byte[]) instead.
void	setSubject (X500Principal subject) Sets the subject criterion.
void	setSubjectAlternativeNames (Collection <List <?>> names) Sets the subjectAlternativeNames criterion.
void	setSubjectKeyIdentifier (byte[] subjectKeyID) Sets the subjectKeyIdentifier criterion.
void	setSubjectPublicKey (byte[] key) Sets the subjectPublicKey criterion.
void	setSubjectPublicKey (PublicKey key) Sets the subjectPublicKey criterion.
void	setSubjectPublicKeyAlgID (String oid) Sets the subjectPublicKeyAlgID criterion.
String	toString () Return a printable representation of the CertSelector.

Methods inherited from class java.lang.Object

equals , finalize , getClass , hashCode , notify , notifyAll , wait , wait , wait

Constructor Detail

X509CertSelector

public X509CertSelector()

Creates an X509CertSelector. Initially, no criteria are set so any X509Certificate will match.

Method Detail

setCertificate

public void setCertificate(X509Certificate    cert)

Sets the certificateEquals criterion. The specified X509Certificate must be equal to the X509Certificate passed to the match method. If null, then this check is not applied.

This method is particularly useful when it is necessary to match a single certificate. Although other criteria can be specified in conjunction with the certificateEquals criterion, it is usually not practical or necessary.

Parameters:

cert - the X509Certificate to match (or null)

See Also:

getCertificate()

setSerialNumber

public void setSerialNumber(BigInteger    serial)

Sets the serialNumber criterion. The specified serial number must match the certificate serial number in the X509Certificate. If null, any certificate serial number will do.

Parameters:

serial - the certificate serial number to match (or null)

See Also:

getSerialNumber()

setIssuer

public void setIssuer(X500Principal    issuer)

Sets the issuer criterion. The specified distinguished name must match the issuer distinguished name in the X509Certificate. If null, any issuer distinguished name will do.

Parameters:

issuer - a distinguished name as X500Principal (or null)

Since:

1.5

setIssuer

public void setIssuer(String    issuerDN)
               throws IOException   

Denigrated, use setIssuer(X500Principal) or