1 /*
   2  * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.math.BigInteger;
  29 import java.security.*;
  30 import java.security.spec.*;
  31 import java.util.Collection;
  32 import java.util.Date;
  33 import java.util.List;
  34 import javax.security.auth.x500.X500Principal;
  35 
  36 import sun.security.x509.X509CertImpl;
  37 import sun.security.util.SignatureUtil;
  38 
  39 /**
  40  * <p>
  41  * Abstract class for X.509 certificates. This provides a standard
  42  * way to access all the attributes of an X.509 certificate.
  43  * <p>
  44  * In June of 1996, the basic X.509 v3 format was completed by
  45  * ISO/IEC and ANSI X9, which is described below in ASN.1:
  46  * <pre>
  47  * Certificate  ::=  SEQUENCE  {
  48  *     tbsCertificate       TBSCertificate,
  49  *     signatureAlgorithm   AlgorithmIdentifier,
  50  *     signature            BIT STRING  }
  51  * </pre>
  52  * <p>
  53  * These certificates are widely used to support authentication and
  54  * other functionality in Internet security systems. Common applications
  55  * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
  56  * code signing for trusted software distribution, and Secure Electronic
  57  * Transactions (SET).
  58  * <p>
  59  * These certificates are managed and vouched for by <em>Certificate
  60  * Authorities</em> (CAs). CAs are services which create certificates by
  61  * placing data in the X.509 standard format and then digitally signing
  62  * that data. CAs act as trusted third parties, making introductions
  63  * between principals who have no direct knowledge of each other.
  64  * CA certificates are either signed by themselves, or by some other
  65  * CA such as a "root" CA.
  66  * <p>
  67  * More information can be found in
  68  * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
  69  * Public Key Infrastructure Certificate and CRL Profile</a>.
  70  * <p>
  71  * The ASN.1 definition of {@code tbsCertificate} is:
  72  * <pre>
  73  * TBSCertificate  ::=  SEQUENCE  {
  74  *     version         [0]  EXPLICIT Version DEFAULT v1,
  75  *     serialNumber         CertificateSerialNumber,
  76  *     signature            AlgorithmIdentifier,
  77  *     issuer               Name,
  78  *     validity             Validity,
  79  *     subject              Name,
  80  *     subjectPublicKeyInfo SubjectPublicKeyInfo,
  81  *     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
  82  *                          -- If present, version must be v2 or v3
  83  *     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
  84  *                          -- If present, version must be v2 or v3
  85  *     extensions      [3]  EXPLICIT Extensions OPTIONAL
  86  *                          -- If present, version must be v3
  87  *     }
  88  * </pre>
  89  * <p>
  90  * Certificates are instantiated using a certificate factory. The following is
  91  * an example of how to instantiate an X.509 certificate:
  92  * <pre>
  93  * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
  94  *     CertificateFactory cf = CertificateFactory.getInstance("X.509");
  95  *     X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
  96  * }
  97  * </pre>
  98  *
  99  * @author Hemma Prafullchandra
 100  * @since 1.2
 101  *
 102  *
 103  * @see Certificate
 104  * @see CertificateFactory
 105  * @see X509Extension
 106  */
 107 
 108 public abstract class X509Certificate extends Certificate
 109 implements X509Extension {
 110 
 111     private static final long serialVersionUID = -2491127588187038216L;
 112 
 113     private transient X500Principal subjectX500Principal, issuerX500Principal;
 114 
 115     /**
 116      * Constructor for X.509 certificates.
 117      */
 118     protected X509Certificate() {
 119         super("X.509");
 120     }
 121 
 122     /**
 123      * Checks that the certificate is currently valid. It is if
 124      * the current date and time are within the validity period given in the
 125      * certificate.
 126      * <p>
 127      * The validity period consists of two date/time values:
 128      * the first and last dates (and times) on which the certificate
 129      * is valid. It is defined in
 130      * ASN.1 as:
 131      * <pre>
 132      * validity             Validity
 133      *
 134      * Validity ::= SEQUENCE {
 135      *     notBefore      CertificateValidityDate,
 136      *     notAfter       CertificateValidityDate }
 137      *
 138      * CertificateValidityDate ::= CHOICE {
 139      *     utcTime        UTCTime,
 140      *     generalTime    GeneralizedTime }
 141      * </pre>
 142      *
 143      * @exception CertificateExpiredException if the certificate has expired.
 144      * @exception CertificateNotYetValidException if the certificate is not
 145      * yet valid.
 146      */
 147     public abstract void checkValidity()
 148         throws CertificateExpiredException, CertificateNotYetValidException;
 149 
 150     /**
 151      * Checks that the given date is within the certificate's
 152      * validity period. In other words, this determines whether the
 153      * certificate would be valid at the given date/time.
 154      *
 155      * @param date the Date to check against to see if this certificate
 156      *        is valid at that date/time.
 157      *
 158      * @exception CertificateExpiredException if the certificate has expired
 159      * with respect to the {@code date} supplied.
 160      * @exception CertificateNotYetValidException if the certificate is not
 161      * yet valid with respect to the {@code date} supplied.
 162      *
 163      * @see #checkValidity()
 164      */
 165     public abstract void checkValidity(Date date)
 166         throws CertificateExpiredException, CertificateNotYetValidException;
 167 
 168     /**
 169      * Gets the {@code version} (version number) value from the
 170      * certificate.
 171      * The ASN.1 definition for this is:
 172      * <pre>
 173      * version  [0] EXPLICIT Version DEFAULT v1
 174      *
 175      * Version ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 176      * </pre>
 177      * @return the version number, i.e. 1, 2 or 3.
 178      */
 179     public abstract int getVersion();
 180 
 181     /**
 182      * Gets the {@code serialNumber} value from the certificate.
 183      * The serial number is an integer assigned by the certification
 184      * authority to each certificate. It must be unique for each
 185      * certificate issued by a given CA (i.e., the issuer name and
 186      * serial number identify a unique certificate).
 187      * The ASN.1 definition for this is:
 188      * <pre>
 189      * serialNumber     CertificateSerialNumber
 190      *
 191      * CertificateSerialNumber  ::=  INTEGER
 192      * </pre>
 193      *
 194      * @return the serial number.
 195      */
 196     public abstract BigInteger getSerialNumber();
 197 
 198     /**
 199      * <strong>Denigrated</strong>, replaced by {@linkplain
 200      * #getIssuerX500Principal()}. This method returns the {@code issuer}
 201      * as an implementation specific Principal object, which should not be
 202      * relied upon by portable code.
 203      *
 204      * <p>
 205      * Gets the {@code issuer} (issuer distinguished name) value from
 206      * the certificate. The issuer name identifies the entity that signed (and
 207      * issued) the certificate.
 208      *
 209      * <p>The issuer name field contains an
 210      * X.500 distinguished name (DN).
 211      * The ASN.1 definition for this is:
 212      * <pre>
 213      * issuer    Name
 214      *
 215      * Name ::= CHOICE { RDNSequence }
 216      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 217      * RelativeDistinguishedName ::=
 218      *     SET OF AttributeValueAssertion
 219      *
 220      * AttributeValueAssertion ::= SEQUENCE {
 221      *                               AttributeType,
 222      *                               AttributeValue }
 223      * AttributeType ::= OBJECT IDENTIFIER
 224      * AttributeValue ::= ANY
 225      * </pre>
 226      * The {@code Name} describes a hierarchical name composed of
 227      * attributes,
 228      * such as country name, and corresponding values, such as US.
 229      * The type of the {@code AttributeValue} component is determined by
 230      * the {@code AttributeType}; in general it will be a
 231      * {@code directoryString}. A {@code directoryString} is usually
 232      * one of {@code PrintableString},
 233      * {@code TeletexString} or {@code UniversalString}.
 234      *
 235      * @return a Principal whose name is the issuer distinguished name.
 236      */
 237     public abstract Principal getIssuerDN();
 238 
 239     /**
 240      * Returns the issuer (issuer distinguished name) value from the
 241      * certificate as an {@code X500Principal}.
 242      * <p>
 243      * It is recommended that subclasses override this method.
 244      *
 245      * @return an {@code X500Principal} representing the issuer
 246      *          distinguished name
 247      * @since 1.4
 248      */
 249     public X500Principal getIssuerX500Principal() {
 250         if (issuerX500Principal == null) {
 251             issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
 252         }
 253         return issuerX500Principal;
 254     }
 255 
 256     /**
 257      * <strong>Denigrated</strong>, replaced by {@linkplain
 258      * #getSubjectX500Principal()}. This method returns the {@code subject}
 259      * as an implementation specific Principal object, which should not be
 260      * relied upon by portable code.
 261      *
 262      * <p>
 263      * Gets the {@code subject} (subject distinguished name) value
 264      * from the certificate.  If the {@code subject} value is empty,
 265      * then the {@code getName()} method of the returned
 266      * {@code Principal} object returns an empty string ("").
 267      *
 268      * <p> The ASN.1 definition for this is:
 269      * <pre>
 270      * subject    Name
 271      * </pre>
 272      *
 273      * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
 274      * and other relevant definitions.
 275      *
 276      * @return a Principal whose name is the subject name.
 277      */
 278     public abstract Principal getSubjectDN();
 279 
 280     /**
 281      * Returns the subject (subject distinguished name) value from the
 282      * certificate as an {@code X500Principal}.  If the subject value
 283      * is empty, then the {@code getName()} method of the returned
 284      * {@code X500Principal} object returns an empty string ("").
 285      * <p>
 286      * It is recommended that subclasses override this method.
 287      *
 288      * @return an {@code X500Principal} representing the subject
 289      *          distinguished name
 290      * @since 1.4
 291      */
 292     public X500Principal getSubjectX500Principal() {
 293         if (subjectX500Principal == null) {
 294             subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
 295         }
 296         return subjectX500Principal;
 297     }
 298 
 299     /**
 300      * Gets the {@code notBefore} date from the validity period of
 301      * the certificate.
 302      * The relevant ASN.1 definitions are:
 303      * <pre>
 304      * validity             Validity
 305      *
 306      * Validity ::= SEQUENCE {
 307      *     notBefore      CertificateValidityDate,
 308      *     notAfter       CertificateValidityDate }
 309      *
 310      * CertificateValidityDate ::= CHOICE {
 311      *     utcTime        UTCTime,
 312      *     generalTime    GeneralizedTime }
 313      * </pre>
 314      *
 315      * @return the start date of the validity period.
 316      * @see #checkValidity
 317      */
 318     public abstract Date getNotBefore();
 319 
 320     /**
 321      * Gets the {@code notAfter} date from the validity period of
 322      * the certificate. See {@link #getNotBefore() getNotBefore}
 323      * for relevant ASN.1 definitions.
 324      *
 325      * @return the end date of the validity period.
 326      * @see #checkValidity
 327      */
 328     public abstract Date getNotAfter();
 329 
 330     /**
 331      * Gets the DER-encoded certificate information, the
 332      * {@code tbsCertificate} from this certificate.
 333      * This can be used to verify the signature independently.
 334      *
 335      * @return the DER-encoded certificate information.
 336      * @exception CertificateEncodingException if an encoding error occurs.
 337      */
 338     public abstract byte[] getTBSCertificate()
 339         throws CertificateEncodingException;
 340 
 341     /**
 342      * Gets the {@code signature} value (the raw signature bits) from
 343      * the certificate.
 344      * The ASN.1 definition for this is:
 345      * <pre>
 346      * signature     BIT STRING
 347      * </pre>
 348      *
 349      * @return the signature.
 350      */
 351     public abstract byte[] getSignature();
 352 
 353     /**
 354      * Gets the signature algorithm name for the certificate
 355      * signature algorithm. An example is the string "SHA256withRSA".
 356      * The ASN.1 definition for this is:
 357      * <pre>
 358      * signatureAlgorithm   AlgorithmIdentifier
 359      *
 360      * AlgorithmIdentifier  ::=  SEQUENCE  {
 361      *     algorithm               OBJECT IDENTIFIER,
 362      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }
 363      *                             -- contains a value of the type
 364      *                             -- registered for use with the
 365      *                             -- algorithm object identifier value
 366      * </pre>
 367      *
 368      * <p>The algorithm name is determined from the {@code algorithm}
 369      * OID string.
 370      *
 371      * @return the signature algorithm name.
 372      */
 373     public abstract String getSigAlgName();
 374 
 375     /**
 376      * Gets the signature algorithm OID string from the certificate.
 377      * An OID is represented by a set of nonnegative whole numbers separated
 378      * by periods.
 379      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
 380      * with DSA signature algorithm defined in
 381      * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
 382      * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
 383      * and CRL Profile</a>.
 384      *
 385      * <p>See {@link #getSigAlgName() getSigAlgName} for
 386      * relevant ASN.1 definitions.
 387      *
 388      * @return the signature algorithm OID string.
 389      */
 390     public abstract String getSigAlgOID();
 391 
 392     /**
 393      * Gets the DER-encoded signature algorithm parameters from this
 394      * certificate's signature algorithm. In most cases, the signature
 395      * algorithm parameters are null; the parameters are usually
 396      * supplied with the certificate's public key.
 397      * If access to individual parameter values is needed then use
 398      * {@link java.security.AlgorithmParameters AlgorithmParameters}
 399      * and instantiate with the name returned by
 400      * {@link #getSigAlgName() getSigAlgName}.
 401      *
 402      * <p>See {@link #getSigAlgName() getSigAlgName} for
 403      * relevant ASN.1 definitions.
 404      *
 405      * @return the DER-encoded signature algorithm parameters, or
 406      *         null if no parameters are present.
 407      */
 408     public abstract byte[] getSigAlgParams();
 409 
 410     /**
 411      * Gets the {@code issuerUniqueID} value from the certificate.
 412      * The issuer unique identifier is present in the certificate
 413      * to handle the possibility of reuse of issuer names over time.
 414      * RFC 5280 recommends that names not be reused and that
 415      * conforming certificates not make use of unique identifiers.
 416      * Applications conforming to that profile should be capable of
 417      * parsing unique identifiers and making comparisons.
 418      *
 419      * <p>The ASN.1 definition for this is:
 420      * <pre>
 421      * issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL
 422      *
 423      * UniqueIdentifier  ::=  BIT STRING
 424      * </pre>
 425      *
 426      * @return the issuer unique identifier or null if it is not
 427      * present in the certificate.
 428      */
 429     public abstract boolean[] getIssuerUniqueID();
 430 
 431     /**
 432      * Gets the {@code subjectUniqueID} value from the certificate.
 433      *
 434      * <p>The ASN.1 definition for this is:
 435      * <pre>
 436      * subjectUniqueID  [2]  IMPLICIT UniqueIdentifier OPTIONAL
 437      *
 438      * UniqueIdentifier  ::=  BIT STRING
 439      * </pre>
 440      *
 441      * @return the subject unique identifier or null if it is not
 442      * present in the certificate.
 443      */
 444     public abstract boolean[] getSubjectUniqueID();
 445 
 446     /**
 447      * Gets a boolean array representing bits of
 448      * the {@code KeyUsage} extension, (OID = 2.5.29.15).
 449      * The key usage extension defines the purpose (e.g., encipherment,
 450      * signature, certificate signing) of the key contained in the
 451      * certificate.
 452      * The ASN.1 definition for this is:
 453      * <pre>
 454      * KeyUsage ::= BIT STRING {
 455      *     digitalSignature        (0),
 456      *     nonRepudiation          (1),
 457      *     keyEncipherment         (2),
 458      *     dataEncipherment        (3),
 459      *     keyAgreement            (4),
 460      *     keyCertSign             (5),
 461      *     cRLSign                 (6),
 462      *     encipherOnly            (7),
 463      *     decipherOnly            (8) }
 464      * </pre>
 465      * RFC 5280 recommends that when used, this be marked
 466      * as a critical extension.
 467      *
 468      * @return the KeyUsage extension of this certificate, represented as
 469      * an array of booleans. The order of KeyUsage values in the array is
 470      * the same as in the above ASN.1 definition. The array will contain a
 471      * value for each KeyUsage defined above. If the KeyUsage list encoded
 472      * in the certificate is longer than the above list, it will not be
 473      * truncated. Returns null if this certificate does not
 474      * contain a KeyUsage extension.
 475      */
 476     public abstract boolean[] getKeyUsage();
 477 
 478     /**
 479      * Gets an unmodifiable list of Strings representing the OBJECT
 480      * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
 481      * extended key usage extension, (OID = 2.5.29.37).  It indicates
 482      * one or more purposes for which the certified public key may be
 483      * used, in addition to or in place of the basic purposes
 484      * indicated in the key usage extension field.  The ASN.1
 485      * definition for this is:
 486      * <pre>
 487      * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
 488      *
 489      * KeyPurposeId ::= OBJECT IDENTIFIER
 490      * </pre>
 491      *
 492      * Key purposes may be defined by any organization with a
 493      * need. Object identifiers used to identify key purposes shall be
 494      * assigned in accordance with IANA or ITU-T Rec. X.660 |
 495      * ISO/IEC/ITU 9834-1.
 496      * <p>
 497      * This method was added to version 1.4 of the Java 2 Platform Standard
 498      * Edition. In order to maintain backwards compatibility with existing
 499      * service providers, this method is not {@code abstract}
 500      * and it provides a default implementation. Subclasses
 501      * should override this method with a correct implementation.
 502      *
 503      * @return the ExtendedKeyUsage extension of this certificate,
 504      *         as an unmodifiable list of object identifiers represented
 505      *         as Strings. Returns null if this certificate does not
 506      *         contain an ExtendedKeyUsage extension.
 507      * @throws CertificateParsingException if the extension cannot be decoded
 508      * @since 1.4
 509      */
 510     public List<String> getExtendedKeyUsage() throws CertificateParsingException {
 511         return X509CertImpl.getExtendedKeyUsage(this);
 512     }
 513 
 514     /**
 515      * Gets the certificate constraints path length from the
 516      * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
 517      * <p>
 518      * The basic constraints extension identifies whether the subject
 519      * of the certificate is a Certificate Authority (CA) and
 520      * how deep a certification path may exist through that CA. The
 521      * {@code pathLenConstraint} field (see below) is meaningful
 522      * only if {@code cA} is set to TRUE. In this case, it gives the
 523      * maximum number of CA certificates that may follow this certificate in a
 524      * certification path. A value of zero indicates that only an end-entity
 525      * certificate may follow in the path.
 526      * <p>
 527      * The ASN.1 definition for this is:
 528      * <pre>
 529      * BasicConstraints ::= SEQUENCE {
 530      *     cA                  BOOLEAN DEFAULT FALSE,
 531      *     pathLenConstraint   INTEGER (0..MAX) OPTIONAL }
 532      * </pre>
 533      *
 534      * @return the value of {@code pathLenConstraint} if the
 535      * BasicConstraints extension is present in the certificate and the
 536      * subject of the certificate is a CA, otherwise -1.
 537      * If the subject of the certificate is a CA and
 538      * {@code pathLenConstraint} does not appear,
 539      * {@code Integer.MAX_VALUE} is returned to indicate that there is no
 540      * limit to the allowed length of the certification path.
 541      */
 542     public abstract int getBasicConstraints();
 543 
 544     /**
 545      * Gets an immutable collection of subject alternative names from the
 546      * {@code SubjectAltName} extension, (OID = 2.5.29.17).
 547      * <p>
 548      * The ASN.1 definition of the {@code SubjectAltName} extension is:
 549      * <pre>
 550      * SubjectAltName ::= GeneralNames
 551      *
 552      * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
 553      *
 554      * GeneralName ::= CHOICE {
 555      *      otherName                       [0]     OtherName,
 556      *      rfc822Name                      [1]     IA5String,
 557      *      dNSName                         [2]     IA5String,
 558      *      x400Address                     [3]     ORAddress,
 559      *      directoryName                   [4]     Name,
 560      *      ediPartyName                    [5]     EDIPartyName,
 561      *      uniformResourceIdentifier       [6]     IA5String,
 562      *      iPAddress                       [7]     OCTET STRING,
 563      *      registeredID                    [8]     OBJECT IDENTIFIER}
 564      * </pre>
 565      * <p>
 566      * If this certificate does not contain a {@code SubjectAltName}
 567      * extension, {@code null} is returned. Otherwise, a
 568      * {@code Collection} is returned with an entry representing each
 569      * {@code GeneralName} included in the extension. Each entry is a
 570      * {@code List} whose first entry is an {@code Integer}
 571      * (the name type, 0-8) and whose second entry is a {@code String}
 572      * or a byte array (the name, in string or ASN.1 DER encoded form,
 573      * respectively).
 574      * <p>
 575      * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
 576      * names are returned as {@code String}s,
 577      * using the well-established string formats for those types (subject to
 578      * the restrictions included in RFC 5280). IPv4 address names are
 579      * returned using dotted quad notation. IPv6 address names are returned
 580      * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
 581      * representing the eight 16-bit pieces of the address. OID names are
 582      * returned as {@code String}s represented as a series of nonnegative
 583      * integers separated by periods. And directory names (distinguished names)
 584      * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
 585      * RFC 2253</a> string format. No standard string format is
 586      * defined for otherNames, X.400 names, EDI party names, or any
 587      * other type of names. They are returned as byte arrays
 588      * containing the ASN.1 DER encoded form of the name.
 589      * <p>
 590      * Note that the {@code Collection} returned may contain more
 591      * than one name of the same type. Also, note that the returned
 592      * {@code Collection} is immutable and any entries containing byte
 593      * arrays are cloned to protect against subsequent modifications.
 594      * <p>
 595      * This method was added to version 1.4 of the Java 2 Platform Standard
 596      * Edition. In order to maintain backwards compatibility with existing
 597      * service providers, this method is not {@code abstract}
 598      * and it provides a default implementation. Subclasses
 599      * should override this method with a correct implementation.
 600      *
 601      * @return an immutable {@code Collection} of subject alternative
 602      * names (or {@code null})
 603      * @throws CertificateParsingException if the extension cannot be decoded
 604      * @since 1.4
 605      */
 606     public Collection<List<?>> getSubjectAlternativeNames()
 607         throws CertificateParsingException {
 608         return X509CertImpl.getSubjectAlternativeNames(this);
 609     }
 610 
 611     /**
 612      * Gets an immutable collection of issuer alternative names from the
 613      * {@code IssuerAltName} extension, (OID = 2.5.29.18).
 614      * <p>
 615      * The ASN.1 definition of the {@code IssuerAltName} extension is:
 616      * <pre>
 617      * IssuerAltName ::= GeneralNames
 618      * </pre>
 619      * The ASN.1 definition of {@code GeneralNames} is defined
 620      * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
 621      * <p>
 622      * If this certificate does not contain an {@code IssuerAltName}
 623      * extension, {@code null} is returned. Otherwise, a
 624      * {@code Collection} is returned with an entry representing each
 625      * {@code GeneralName} included in the extension. Each entry is a
 626      * {@code List} whose first entry is an {@code Integer}
 627      * (the name type, 0-8) and whose second entry is a {@code String}
 628      * or a byte array (the name, in string or ASN.1 DER encoded form,
 629      * respectively). For more details about the formats used for each
 630      * name type, see the {@code getSubjectAlternativeNames} method.
 631      * <p>
 632      * Note that the {@code Collection} returned may contain more
 633      * than one name of the same type. Also, note that the returned
 634      * {@code Collection} is immutable and any entries containing byte
 635      * arrays are cloned to protect against subsequent modifications.
 636      * <p>
 637      * This method was added to version 1.4 of the Java 2 Platform Standard
 638      * Edition. In order to maintain backwards compatibility with existing
 639      * service providers, this method is not {@code abstract}
 640      * and it provides a default implementation. Subclasses
 641      * should override this method with a correct implementation.
 642      *
 643      * @return an immutable {@code Collection} of issuer alternative
 644      * names (or {@code null})
 645      * @throws CertificateParsingException if the extension cannot be decoded
 646      * @since 1.4
 647      */
 648     public Collection<List<?>> getIssuerAlternativeNames()
 649         throws CertificateParsingException {
 650         return X509CertImpl.getIssuerAlternativeNames(this);
 651     }
 652 
 653     /**
 654      * Verifies that this certificate was signed using the
 655      * private key that corresponds to the specified public key.
 656      * This method uses the signature verification engine
 657      * supplied by the specified provider. Note that the specified
 658      * Provider object does not have to be registered in the provider list.
 659      *
 660      * This method was added to version 1.8 of the Java Platform Standard
 661      * Edition. In order to maintain backwards compatibility with existing
 662      * service providers, this method is not {@code abstract}
 663      * and it provides a default implementation.
 664      *
 665      * @param key the PublicKey used to carry out the verification.
 666      * @param sigProvider the signature provider.
 667      *
 668      * @exception NoSuchAlgorithmException on unsupported signature
 669      * algorithms.
 670      * @exception InvalidKeyException on incorrect key.
 671      * @exception SignatureException on signature errors.
 672      * @exception CertificateException on encoding errors.
 673      * @exception UnsupportedOperationException if the method is not supported
 674      * @since 1.8
 675      */
 676     public void verify(PublicKey key, Provider sigProvider)
 677         throws CertificateException, NoSuchAlgorithmException,
 678         InvalidKeyException, SignatureException {
 679         Signature sig = (sigProvider == null)
 680             ? Signature.getInstance(getSigAlgName())
 681             : Signature.getInstance(getSigAlgName(), sigProvider);
 682 
 683         sig.initVerify(key);
 684 
 685         // set parameters after Signature.initSign/initVerify call,
 686         // so the deferred provider selections occur when key is set
 687         try {
 688             SignatureUtil.specialSetParameter(sig, getSigAlgParams());
 689         } catch (ProviderException e) {
 690             throw new CertificateException(e.getMessage(), e.getCause());
 691         } catch (InvalidAlgorithmParameterException e) {
 692             throw new CertificateException(e);
 693         }
 694 
 695         byte[] tbsCert = getTBSCertificate();
 696         sig.update(tbsCert, 0, tbsCert.length);
 697 
 698         if (sig.verify(getSignature()) == false) {
 699             throw new SignatureException("Signature does not match.");
 700         }
 701     }
 702 }