Generated by
JDiff

java.security.cert Documentation Differences

This file contains all the changes in documentation in the package java.security.cert as colored differences. Deletions are shown like this, and additions are shown like this.
If no deletions or additions are shown in an entry, the HTML tags will be what has changed. The new HTML tags are shown in the differences. If no documentation existed, and then some was added in a later version, this change is noted in the appropriate class pages of differences, but the change is not shown on this page. Only changes in existing text are shown here. Similarly, documentation which was inherited from another class or interface is not shown here.
Note that an HTML error in the new documentation may cause the display of other documentation changes to be presented incorrectly. For instance, failure to close a <code> tag will cause all subsequent paragraphs to be displayed differently.

Class X509CRL

Abstract class for an X.509 Certificate Revocation List (CRL). A CRL is a time-stamped list identifying revoked certificates. It is signed by a Certificate Authority (CA) and made freely available in a public repository.

Each revoked certificate is identified in a CRL by its certificate serial number. When a certificate-using system uses a certificate (e.g. for verifying a remote user's digital signature) that system not only checks the certificate signature and validity but also acquires a suitably- recent CRL and checks that the certificate serial number is not on that CRL. The meaning of "suitably-recent" may vary with local policy but it usually means the most recently-issued CRL. A CA issues a new CRL on a regular periodic basis (e.g. hourly daily or weekly). Entries are added to CRLs as revocations occur and an entry may be removed when the certificate expiration date is reached.

The X.509 v2 CRL format is described below in ASN.1:

 CertificateList ::= SEQUENCE { tbsCertList TBSCertList signatureAlgorithm AlgorithmIdentifier signature BIT STRING } 

More information can be found in RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at http://www.ietf.org/rfc/rfc2459.txt .

The ASN.1 definition of tbsCertList is:

 TBSCertList ::= SEQUENCE { version Version OPTIONAL -- if present must be v2 signature AlgorithmIdentifier issuer Name thisUpdate ChoiceOfTime nextUpdate ChoiceOfTime OPTIONAL revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber revocationDate ChoiceOfTime crlEntryExtensions Extensions OPTIONAL -- if present must be v2 } OPTIONAL crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present must be v2 } 

CRLs are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 CRL:

 InputStream inStream = new FileInputStream("fileName-of-crl"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL)cf.generateCRL(inStream); inStream.close(); 
@author Hemma Prafullchandra @version 1.2223 @see CRL @see CertificateFactory @see X509Extension
Class X509CRL, X500Principal getIssuerX500Principal()

Returns the issuer (issuer distinguished name) value from the CRL as an X500Principal.

It is recommended that subclasses override this method to provide an efficient implementation. @return an X500Principal representing the issuer distinguished name @since 1.4


Class X509CRLSelector

A CRLSelector that selects X509CRLs that match all specified criteria. This class is particularly useful when selecting CRLs from a CertStore to check revocation status of a particular certificate.

When first constructed an X509CRLSelector has no criteria enabled and each of the get methods return a default value (null). Therefore the match method would return true for any X509CRL. Typically several criteria are enabled (by calling setIssuerNames or setDateAndTime for instance) and then the X509CRLSelector is passed to CertStore.getCRLs or some similar method.

Please refer to RFC 2459 for definitions of the X.509 CRL fields and extensions mentioned below.

Concurrent Access

Unless otherwise specified the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize. @see CRLSelector @see X509CRL @version 1.89 12/03/0113/02 @since 1.4 @author Steve Hanna


Class X509Certificate

Abstract class for X.509 certificates. This provides a standard way to access all the attributes of an X.509 certificate.

In June of 1996 the basic X.509 v3 format was completed by ISO/IEC and ANSI X9 which is described below in ASN.1:

 Certificate ::= SEQUENCE { tbsCertificate TBSCertificate signatureAlgorithm AlgorithmIdentifier signature BIT STRING } 

These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM) Transport Layer Security (SSL) code signing for trusted software distribution and Secure Electronic Transactions (SET).

These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. CAs act as trusted third parties making introductions between principals who have no direct knowledge of each other. CA certificates are either signed by themselves or by some other CA such as a "root" CA.

More information can be found in RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" at http://www.ietf.org/rfc/rfc2459.txt .

The ASN.1 definition of tbsCertificate is:

 TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1 serialNumber CertificateSerialNumber signature AlgorithmIdentifier issuer Name validity Validity subject Name subjectPublicKeyInfo SubjectPublicKeyInfo issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL -- If present version must be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL -- If present version must be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present version must be v3 } 

Certificates are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 certificate:

 InputStream inStream = new FileInputStream("fileName-of-cert"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream); inStream.close(); 
@author Hemma Prafullchandra @version 1.3334 @see Certificate @see CertificateFactory @see X509Extension
Class X509Certificate, X500Principal getIssuerX500Principal()

Returns the issuer (issuer distinguished name) value from the certificate as an X500Principal.

It is recommended that subclasses override this method to provide an efficient implementation. @return an X500Principal representing the issuer distinguished name @since 1.4

Class X509Certificate, X500Principal getSubjectX500Principal()

Returns the subject (subject distinguished name) value from the certificate as an X500Principal. If the subject value is empty then the getName() method of the returned X500Principal object returns an empty string ("").

It is recommended that subclasses override this method to provide an efficient implementation. @return an X500Principal representing the subject distinguished name @since 1.4