public interface X509Extension
| java.security.cert.X509Extension |
 Known Indirect Subclasses
|
X.509扩展的接口。
为X.509 v3 Certificates和v2 CRLs (证书吊销列表)定义的扩展提供了将附加属性与用户或公钥相关联的方法,用于管理证书层次结构以及管理CRL分发。 X.509扩展格式还允许社区定义专用扩展以携带这些社区独有的信息。
证书/ CRL中的每个扩展可能被指定为关键或非关键。 证书/ CRL使用系统(验证证书/ CRL的应用程序)必须在证书/ CRL遇到无法识别的关键扩展时拒绝该证书/ CRL。 如果它不被识别,则可以忽略非关键扩展。
ASN.1对此的定义是:
Android开发手册
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnId OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains a DER encoding of a value
-- of the type registered for use with
-- the extnId object identifier value
}
Since not all extensions are known, the
getExtensionValue method returns the DER-encoded OCTET STRING of the extension value (i.e., the
extnValue). This can then be handled by a
Class that understands the extension.
Public methods |
|
|---|---|
abstract Set<String> |
getCriticalExtensionOIDs() 获取由实现此接口的对象管理的证书/ CRL中标记为CRITICAL的扩展的OID字符串集合。 |
abstract byte[] |
getExtensionValue(String oid) 获取由传入的 |
abstract Set<String> |
getNonCriticalExtensionOIDs() 获取由实现此接口的对象管理的证书/ CRL中标记为NON-CRITICAL的扩展的一组OID字符串。 |
abstract boolean |
hasUnsupportedCriticalExtension() 检查是否存在不受支持的关键扩展。 |
Set<String> getCriticalExtensionOIDs ()
获取由实现此接口的对象管理的证书/ CRL中标记为CRITICAL的扩展的OID字符串集合。 以下是用于从X509Certificate获取一组关键扩展并打印OID的示例代码:
InputStream inStrm = null; X509Certificate cert = null; try { inStrm = new FileInputStream("DER-encoded-Cert"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); cert = (X509Certificate)cf.generateCertificate(inStrm); } finally { if (inStrm != null) { inStrm.close(); } }
SetcritSet = cert.getCriticalExtensionOIDs(); if (critSet != null && !critSet.isEmpty()) { System.out.println("Set of critical extensions:"); for (String oid : critSet) { System.out.println(oid); } }
| Returns | |
|---|---|
Set<String> |
a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null. |
byte[] getExtensionValue (String oid)
获取由传入的oid字符串标识的扩展值( extnValue )的DER编码的OCTET字符串。 oid字符串由一组以句点分隔的非负整数表示。
例如:
| OID (Object Identifier) | Extension Name |
|---|---|
| 2.5.29.14 | SubjectKeyIdentifier |
| 2.5.29.15 | KeyUsage |
| 2.5.29.16 | PrivateKeyUsage |
| 2.5.29.17 | SubjectAlternativeName |
| 2.5.29.18 | IssuerAlternativeName |
| 2.5.29.19 | BasicConstraints |
| 2.5.29.30 | NameConstraints |
| 2.5.29.33 | PolicyMappings |
| 2.5.29.35 | AuthorityKeyIdentifier |
| 2.5.29.36 | PolicyConstraints |
| Parameters | |
|---|---|
oid |
String: the Object Identifier value for the extension. |
| Returns | |
|---|---|
byte[] |
the DER-encoded octet string of the extension value or null if it is not present. |
Set<String> getNonCriticalExtensionOIDs ()
获取由实现此接口的对象管理的证书/ CRL中标记为NON-CRITICAL的扩展的一组OID字符串。 下面是示例代码,用于从X509CRL吊销的证书条目中获取一组非关键扩展,并打印OID:
InputStream inStrm = null; CertificateFactory cf = null; X509CRL crl = null; try { inStrm = new FileInputStream("DER-encoded-CRL"); cf = CertificateFactory.getInstance("X.509"); crl = (X509CRL)cf.generateCRL(inStrm); } finally { if (inStrm != null) { inStrm.close(); } }byte [] certData = <DER编码证书数据> ByteArrayInputStream bais = new ByteArrayInputStream(certData); X509Certificate cert =(X509Certificate)cf.generateCertificate(bais); bais.close(); X509CRLEntry badCert = crl.getRevokedCertificate(cert.getSerialNumber());
if(badCert!= null){Set
nonCritSet = badCert.getNonCriticalExtensionOIDs();
if (nonCritSet != null) for (String oid : nonCritSet) { System.out.println(oid); } }
| Returns | |
|---|---|
Set<String> |
a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null. |
boolean hasUnsupportedCriticalExtension ()
检查是否存在不受支持的关键扩展。
| Returns | |
|---|---|
boolean |
true if a critical extension is found that is not supported, otherwise false. |