The extensions defined for X.509 v3 * {@link X509Certificate Certificates} and v2 * {@link X509CRL CRLs} (Certificate Revocation * Lists) provide methods * for associating additional attributes with users or public keys, * for managing the certification hierarchy, and for managing CRL * distribution. The X.509 extensions format also allows communities * to define private extensions to carry information unique to those * communities. * *
Each extension in a certificate/CRL may be designated as * critical or non-critical. A certificate/CRL-using system (an application * validating a certificate/CRL) must reject the certificate/CRL if it * encounters a critical extension it does not recognize. A non-critical * extension may be ignored if it is not recognized. *
* The ASN.1 definition for this is: *
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*
* Extension ::= SEQUENCE {
* extnId OBJECT IDENTIFIER,
* critical BOOLEAN DEFAULT FALSE,
* extnValue OCTET STRING
* -- contains a DER encoding of a value
* -- of the type registered for use with
* -- the extnId object identifier value
* }
*
* Since not all extensions are known, the getExtensionValue
* method returns the DER-encoded OCTET STRING of the
* extension value (i.e., the extnValue). This can then
* be handled by a Class that understands the extension.
*
* @author Hemma Prafullchandra
* @version 1.22 03/12/19
*/
public interface X509Extension {
/**
* Check if there is a critical extension that is not supported.
*
* @return true if a critical extension is found that is
* not supported, otherwise false.
*/
public boolean hasUnsupportedCriticalExtension();
/**
* Gets a Set of the OID strings for the extension(s) marked
* CRITICAL in the certificate/CRL managed by the object
* implementing this interface.
*
* Here is sample code to get a Set of critical extensions from an
* X509Certificate and print the OIDs:
*
* InputStream inStrm = new FileInputStream("DER-encoded-Cert");
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* X509Certificate cert = (X509Certificate)cf.generateCertificate(inStrm);
* inStrm.close();
*
* Set critSet = cert.getCriticalExtensionOIDs();
* if (critSet != null && !critSet.isEmpty()) {
* System.out.println("Set of critical extensions:");
* for (Iterator i = critSet.iterator(); i.hasNext();) {
* String oid = (String)i.next();
* System.out.println(oid);
* }
* }
*
* InputStream inStrm = new FileInputStream("DER-encoded-CRL");
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* X509CRL crl = (X509CRL)cf.generateCRL(inStrm);
* inStrm.close();
*
* byte[] certData = <DER-encoded certificate data>
* ByteArrayInputStream bais = new ByteArrayInputStream(certData);
* X509Certificate cert = (X509Certificate)cf.generateCertificate(bais);
* bais.close();
* X509CRLEntry badCert =
* crl.getRevokedCertificate(cert.getSerialNumber());
*
* if (badCert != null) {
* Set nonCritSet = badCert.getNonCriticalExtensionOIDs();
* if (nonCritSet != null)
* for (Iterator i = nonCritSet.iterator(); i.hasNext();) {
* String oid = (String)i.next();
* System.out.println(oid);
* }
* }
*
oid
* String.
* The oid string is
* represented by a set of nonnegative whole numbers separated
* by periods.
*
* For example:
*
| OID (Object Identifier) | *Extension Name |
|---|---|
| 2.5.29.14 | *SubjectKeyIdentifier |
| 2.5.29.15 | *KeyUsage |
| 2.5.29.16 | *PrivateKeyUsage |
| 2.5.29.17 | *SubjectAlternativeName |
| 2.5.29.18 | *IssuerAlternativeName |
| 2.5.29.19 | *BasicConstraints |
| 2.5.29.30 | *NameConstraints |
| 2.5.29.33 | *PolicyMappings |
| 2.5.29.35 | *AuthorityKeyIdentifier |
| 2.5.29.36 | *PolicyConstraints |