public class X509CertSelector extends Object implements CertSelector
CertSelector that selects X509Certificates that
 match all specified criteria. This class is particularly useful when
 selecting certificates from a CertStore to build a
 PKIX-compliant certification path.
 
 When first constructed, an X509CertSelector has no criteria
 enabled and each of the get methods return a default value
 (null, or -1 for the getBasicConstraints method). Therefore, the match
 method would return true for any X509Certificate.
 Typically, several criteria are enabled (by calling
 setIssuer or
 setKeyUsage, for instance) and then the
 X509CertSelector is passed to
 CertStore.getCertificates or some similar
 method.
 
 Several criteria can be enabled (by calling setIssuer
 and setSerialNumber,
 for example) such that the match method
 usually uniquely matches a single X509Certificate. We say
 usually, since it is possible for two issuing CAs to have the same
 distinguished name and each issue a certificate with the same serial
 number. Other unique combinations include the issuer, subject,
 subjectKeyIdentifier and/or the subjectPublicKey criteria.
 
Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 certificate extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
CertSelector, 
X509Certificate| Constructor and Description | 
|---|
| X509CertSelector()Creates an  X509CertSelector. | 
| Modifier and Type | Method and Description | 
|---|---|
| void | addPathToName(int type,
             byte[] name)Adds a name to the pathToNames criterion. | 
| void | addPathToName(int type,
             String name)Adds a name to the pathToNames criterion. | 
| void | addSubjectAlternativeName(int type,
                         byte[] name)Adds a name to the subjectAlternativeNames criterion. | 
| void | addSubjectAlternativeName(int type,
                         String name)Adds a name to the subjectAlternativeNames criterion. | 
| Object | clone()Returns a copy of this object. | 
| byte[] | getAuthorityKeyIdentifier()Returns the authorityKeyIdentifier criterion. | 
| int | getBasicConstraints()Returns the basic constraints constraint. | 
| X509Certificate | getCertificate()Returns the certificateEquals criterion. | 
| Date | getCertificateValid()Returns the certificateValid criterion. | 
| Set<String> | getExtendedKeyUsage()Returns the extendedKeyUsage criterion. | 
| X500Principal | getIssuer()Returns the issuer criterion as an  X500Principal. | 
| byte[] | getIssuerAsBytes()Returns the issuer criterion as a byte array. | 
| String | getIssuerAsString()Denigrated, use getIssuer() or
 getIssuerAsBytes() instead. | 
| boolean[] | getKeyUsage()Returns the keyUsage criterion. | 
| boolean | getMatchAllSubjectAltNames()Indicates if the  X509Certificatemust contain all
 or at least one of the subjectAlternativeNames
 specified in thesetSubjectAlternativeNamesoraddSubjectAlternativeNamemethods. | 
| byte[] | getNameConstraints()Returns the name constraints criterion. | 
| Collection<List<?>> | getPathToNames()Returns a copy of the pathToNames criterion. | 
| Set<String> | getPolicy()Returns the policy criterion. | 
| Date | getPrivateKeyValid()Returns the privateKeyValid criterion. | 
| BigInteger | getSerialNumber()Returns the serialNumber criterion. | 
| X500Principal | getSubject()Returns the subject criterion as an  X500Principal. | 
| Collection<List<?>> | getSubjectAlternativeNames()Returns a copy of the subjectAlternativeNames criterion. | 
| byte[] | getSubjectAsBytes()Returns the subject criterion as a byte array. | 
| String | getSubjectAsString()Denigrated, use getSubject() or
 getSubjectAsBytes() instead. | 
| byte[] | getSubjectKeyIdentifier()Returns the subjectKeyIdentifier criterion. | 
| PublicKey | getSubjectPublicKey()Returns the subjectPublicKey criterion. | 
| String | getSubjectPublicKeyAlgID()Returns the subjectPublicKeyAlgID criterion. | 
| boolean | match(Certificate cert)Decides whether a  Certificateshould be selected. | 
| void | setAuthorityKeyIdentifier(byte[] authorityKeyID)Sets the authorityKeyIdentifier criterion. | 
| void | setBasicConstraints(int minMaxPathLen)Sets the basic constraints constraint. | 
| void | setCertificate(X509Certificate cert)Sets the certificateEquals criterion. | 
| void | setCertificateValid(Date certValid)Sets the certificateValid criterion. | 
| void | setExtendedKeyUsage(Set<String> keyPurposeSet)Sets the extendedKeyUsage criterion. | 
| void | setIssuer(byte[] issuerDN)Sets the issuer criterion. | 
| void | setIssuer(String issuerDN)Denigrated, use setIssuer(X500Principal)
 or setIssuer(byte[]) instead. | 
| void | setIssuer(X500Principal issuer)Sets the issuer criterion. | 
| void | setKeyUsage(boolean[] keyUsage)Sets the keyUsage criterion. | 
| void | setMatchAllSubjectAltNames(boolean matchAllNames)Enables/disables matching all of the subjectAlternativeNames
 specified in the  setSubjectAlternativeNamesoraddSubjectAlternativeNamemethods. | 
| void | setNameConstraints(byte[] bytes)Sets the name constraints criterion. | 
| void | setPathToNames(Collection<List<?>> names)Sets the pathToNames criterion. | 
| void | setPolicy(Set<String> certPolicySet)Sets the policy constraint. | 
| void | setPrivateKeyValid(Date privateKeyValid)Sets the privateKeyValid criterion. | 
| void | setSerialNumber(BigInteger serial)Sets the serialNumber criterion. | 
| void | setSubject(byte[] subjectDN)Sets the subject criterion. | 
| void | setSubject(String subjectDN)Denigrated, use setSubject(X500Principal)
 or setSubject(byte[]) instead. | 
| void | setSubject(X500Principal subject)Sets the subject criterion. | 
| void | setSubjectAlternativeNames(Collection<List<?>> names)Sets the subjectAlternativeNames criterion. | 
| void | setSubjectKeyIdentifier(byte[] subjectKeyID)Sets the subjectKeyIdentifier criterion. | 
| void | setSubjectPublicKey(byte[] key)Sets the subjectPublicKey criterion. | 
| void | setSubjectPublicKey(PublicKey key)Sets the subjectPublicKey criterion. | 
| void | setSubjectPublicKeyAlgID(String oid)Sets the subjectPublicKeyAlgID criterion. | 
| String | toString()Return a printable representation of the  CertSelector. | 
public X509CertSelector()
X509CertSelector. Initially, no criteria are set
 so any X509Certificate will match.public void setCertificate(X509Certificate cert)
X509Certificate must be equal to the
 X509Certificate passed to the match method.
 If null, then this check is not applied.
 This method is particularly useful when it is necessary to match a single certificate. Although other criteria can be specified in conjunction with the certificateEquals criterion, it is usually not practical or necessary.
cert - the X509Certificate to match (or
 null)getCertificate()public void setSerialNumber(BigInteger serial)
X509Certificate. If null, any certificate
 serial number will do.serial - the certificate serial number to match
        (or null)getSerialNumber()public void setIssuer(X500Principal issuer)
X509Certificate. If null, any issuer
 distinguished name will do.issuer - a distinguished name as X500Principal
                 (or null)public void setIssuer(String issuerDN) throws IOException
 Sets the issuer criterion. The specified distinguished name
 must match the issuer distinguished name in the
 X509Certificate. If null, any issuer
 distinguished name will do.
 
 If issuerDN is not null, it should contain a
 distinguished name, in RFC 2253 format.
issuerDN - a distinguished name in RFC 2253 format
                 (or null)IOException - if a parsing error occurs (incorrect form for DN)public void setIssuer(byte[] issuerDN)
               throws IOException
X509Certificate. If null is specified,
 the issuer criterion is disabled and any issuer distinguished name will
 do.
 
 If issuerDN is not null, it should contain a
 single DER encoded distinguished name, as defined in X.501. The ASN.1
 notation for this structure is as follows.
 
 Name ::= CHOICE {
   RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
   SET SIZE (1 .. MAX) OF AttributeTypeAndValue
 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY DEFINED BY AttributeType
 ....
 DirectoryString ::= CHOICE {
       teletexString           TeletexString (SIZE (1..MAX)),
       printableString         PrintableString (SIZE (1..MAX)),
       universalString         UniversalString (SIZE (1..MAX)),
       utf8String              UTF8String (SIZE (1.. MAX)),
       bmpString               BMPString (SIZE (1..MAX)) }
 Note that the byte array specified here is cloned to protect against subsequent modifications.
issuerDN - a byte array containing the distinguished name
                 in ASN.1 DER encoded form (or null)IOException - if an encoding error occurs (incorrect form for DN)public void setSubject(X500Principal subject)
X509Certificate. If null, any subject
 distinguished name will do.subject - a distinguished name as X500Principal
                  (or null)public void setSubject(String subjectDN) throws IOException
 Sets the subject criterion. The specified distinguished name
 must match the subject distinguished name in the
 X509Certificate. If null, any subject
 distinguished name will do.
 
 If subjectDN is not null, it should contain a
 distinguished name, in RFC 2253 format.
subjectDN - a distinguished name in RFC 2253 format
                  (or null)IOException - if a parsing error occurs (incorrect form for DN)public void setSubject(byte[] subjectDN)
                throws IOException
X509Certificate. If null, any subject
 distinguished name will do.
 
 If subjectDN is not null, it should contain a
 single DER encoded distinguished name, as defined in X.501. For the ASN.1
 notation for this structure, see
 setIssuer(byte [] issuerDN).
subjectDN - a byte array containing the distinguished name in
                  ASN.1 DER format (or null)IOException - if an encoding error occurs (incorrect form for DN)public void setSubjectKeyIdentifier(byte[] subjectKeyID)
X509Certificate must contain a SubjectKeyIdentifier
 extension for which the contents of the extension
 matches the specified criterion value.
 If the criterion value is null, no
 subjectKeyIdentifier check will be done.
 
 If subjectKeyID is not null, it
 should contain a single DER encoded value corresponding to the contents
 of the extension value (not including the object identifier,
 criticality setting, and encapsulating OCTET STRING)
 for a SubjectKeyIdentifier extension.
 The ASN.1 notation for this structure follows.
 
 SubjectKeyIdentifier ::= KeyIdentifier
 KeyIdentifier ::= OCTET STRING
 
 Since the format of subject key identifiers is not mandated by
 any standard, subject key identifiers are not parsed by the
 X509CertSelector. Instead, the values are compared using
 a byte-by-byte comparison.
 
Note that the byte array supplied here is cloned to protect against subsequent modifications.
subjectKeyID - the subject key identifier (or null)getSubjectKeyIdentifier()public void setAuthorityKeyIdentifier(byte[] authorityKeyID)
X509Certificate must contain an
 AuthorityKeyIdentifier extension for which the contents of the
 extension value matches the specified criterion value.
 If the criterion value is null, no
 authorityKeyIdentifier check will be done.
 
 If authorityKeyID is not null, it
 should contain a single DER encoded value corresponding to the contents
 of the extension value (not including the object identifier,
 criticality setting, and encapsulating OCTET STRING)
 for an AuthorityKeyIdentifier extension.
 The ASN.1 notation for this structure follows.
 
 AuthorityKeyIdentifier ::= SEQUENCE {
    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
 KeyIdentifier ::= OCTET STRING
 
 Authority key identifiers are not parsed by the
 X509CertSelector.  Instead, the values are
 compared using a byte-by-byte comparison.
 
 When the keyIdentifier field of
 AuthorityKeyIdentifier is populated, the value is
 usually taken from the SubjectKeyIdentifier extension
 in the issuer's certificate.  Note, however, that the result of
 X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object
 Identifier>) on the issuer's certificate may NOT be used
 directly as the input to setAuthorityKeyIdentifier.
 This is because the SubjectKeyIdentifier contains
 only a KeyIdentifier OCTET STRING, and not a SEQUENCE of
 KeyIdentifier, GeneralNames, and CertificateSerialNumber.
 In order to use the extension value of the issuer certificate's
 SubjectKeyIdentifier
 extension, it will be necessary to extract the value of the embedded
 KeyIdentifier OCTET STRING, then DER encode this OCTET
 STRING inside a SEQUENCE.
 For more details on SubjectKeyIdentifier, see
 setSubjectKeyIdentifier(byte[] subjectKeyID).
 
Note also that the byte array supplied here is cloned to protect against subsequent modifications.
authorityKeyID - the authority key identifier
        (or null)getAuthorityKeyIdentifier()public void setCertificateValid(Date certValid)
X509Certificate. If null, no certificateValid
 check will be done.
 
 Note that the Date supplied here is cloned to protect
 against subsequent modifications.
certValid - the Date to check (or null)getCertificateValid()public void setPrivateKeyValid(Date privateKeyValid)
X509Certificate. If null, no privateKeyValid
 check will be done.
 
 Note that the Date supplied here is cloned to protect
 against subsequent modifications.
privateKeyValid - the Date to check (or
                        null)getPrivateKeyValid()public void setSubjectPublicKeyAlgID(String oid) throws IOException
X509Certificate must contain a subject public key
 with the specified algorithm. If null, no
 subjectPublicKeyAlgID check will be done.oid - The object identifier (OID) of the algorithm to check
            for (or null). An OID is represented by a
            set of nonnegative integers separated by periods.IOException - if the OID is invalid, such as
 the first component being not 0, 1 or 2 or the second component
 being greater than 39.getSubjectPublicKeyAlgID()public void setSubjectPublicKey(PublicKey key)
X509Certificate must contain the specified subject public
 key. If null, no subjectPublicKey check will be done.key - the subject public key to check for (or null)getSubjectPublicKey()public void setSubjectPublicKey(byte[] key)
                         throws IOException
X509Certificate
 must contain the specified subject public key. If null,
 no subjectPublicKey check will be done.
 Because this method allows the public key to be specified as a byte array, it may be used for unknown key types.
 If key is not null, it should contain a
 single DER encoded SubjectPublicKeyInfo structure, as defined in X.509.
 The ASN.1 notation for this structure is as follows.
 
 SubjectPublicKeyInfo  ::=  SEQUENCE  {
   algorithm            AlgorithmIdentifier,
   subjectPublicKey     BIT STRING  }
 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 Note that the byte array supplied here is cloned to protect against subsequent modifications.
key - a byte array containing the subject public key in ASN.1 DER
            form (or null)IOException - if an encoding error occurs (incorrect form for
 subject public key)getSubjectPublicKey()public void setKeyUsage(boolean[] keyUsage)
X509Certificate
 must allow the specified keyUsage values. If null, no
 keyUsage check will be done. Note that an X509Certificate
 that has no keyUsage extension implicitly allows all keyUsage values.
 Note that the boolean array supplied here is cloned to protect against subsequent modifications.
keyUsage - a boolean array in the same format as the boolean
                 array returned by
 X509Certificate.getKeyUsage().
                 Or null.getKeyUsage()public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException
X509Certificate
 must allow the specified key purposes in its extended key usage
 extension. If keyPurposeSet is empty or null,
 no extendedKeyUsage check will be done. Note that an
 X509Certificate that has no extendedKeyUsage extension
 implicitly allows all key purposes.
 
 Note that the Set is cloned to protect against
 subsequent modifications.
keyPurposeSet - a Set of key purpose OIDs in string
 format (or null). Each OID is represented by a set of
 nonnegative integers separated by periods.IOException - if the OID is invalid, such as
 the first component being not 0, 1 or 2 or the second component
 being greater than 39.getExtendedKeyUsage()public void setMatchAllSubjectAltNames(boolean matchAllNames)
setSubjectAlternativeNames or addSubjectAlternativeName methods. If enabled,
 the X509Certificate must contain all of the
 specified subject alternative names. If disabled, the
 X509Certificate must contain at least one of the
 specified subject alternative names.
 The matchAllNames flag is true by default.
matchAllNames - if true, the flag is enabled;
 if false, the flag is disabled.getMatchAllSubjectAltNames()public void setSubjectAlternativeNames(Collection<List<?>> names) throws IOException
X509Certificate must contain all or at least one of the
 specified subjectAlternativeNames, depending on the value of
 the matchAllNames flag (see setMatchAllSubjectAltNames).
 This method allows the caller to specify, with a single method call, the complete set of subject alternative names for the subjectAlternativeNames criterion. The specified value replaces the previous value for the subjectAlternativeNames criterion.
 The names parameter (if not null) is a
 Collection with one
 entry for each name to be included in the subject alternative name
 criterion. Each entry is a List whose first entry is an
 Integer (the name type, 0-8) and whose second
 entry is a String or a byte array (the name, in
 string or ASN.1 DER encoded form, respectively).
 There can be multiple names of the same type. If null
 is supplied as the value for this argument, no
 subjectAlternativeNames check will be performed.
 
 Each subject alternative name in the Collection
 may be specified either as a String or as an ASN.1 encoded
 byte array. For more details about the formats used, see
 addSubjectAlternativeName(int type, String name) and
 addSubjectAlternativeName(int type, byte [] name).
 
 Note: for distinguished names, specify the byte
 array form instead of the String form. See the note in
 addSubjectAlternativeName(int, String) for more information.
 
 Note that the names parameter can contain duplicate
 names (same name and name type), but they may be removed from the
 Collection of names returned by the
 getSubjectAlternativeNames method.
 
 Note that a deep copy is performed on the Collection to
 protect against subsequent modifications.
names - a Collection of names (or null)IOException - if a parsing error occursgetSubjectAlternativeNames()public void addSubjectAlternativeName(int type,
                                      String name)
                               throws IOException
X509Certificate must contain all or at least one
 of the specified subjectAlternativeNames, depending on the value of
 the matchAllNames flag (see setMatchAllSubjectAltNames).
 This method allows the caller to add a name to the set of subject alternative names. The specified name is added to any previous value for the subjectAlternativeNames criterion. If the specified name is a duplicate, it may be ignored.
 The name is provided in string format.
 RFC 822, DNS, and URI
 names use the well-established string formats for those types (subject to
 the restrictions included in RFC 5280). IPv4 address names are
 supplied using dotted quad notation. OID address names are represented
 as a series of nonnegative integers separated by periods. And
 directory names (distinguished names) are supplied in RFC 2253 format.
 No standard string format is defined for otherNames, X.400 names,
 EDI party names, IPv6 address names, or any other type of names. They
 should be specified using the
 addSubjectAlternativeName(int type, byte [] name)
 method.
 
Note: for distinguished names, use addSubjectAlternativeName(int, byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.
type - the name type (0-8, as specified in
             RFC 5280, section 4.2.1.6)name - the name in string form (not null)IOException - if a parsing error occurspublic void addSubjectAlternativeName(int type,
                                      byte[] name)
                               throws IOException
X509Certificate must contain all or at least one
 of the specified subjectAlternativeNames, depending on the value of
 the matchAllNames flag (see setMatchAllSubjectAltNames).
 This method allows the caller to add a name to the set of subject alternative names. The specified name is added to any previous value for the subjectAlternativeNames criterion. If the specified name is a duplicate, it may be ignored.
The name is provided as a byte array. This byte array should contain the DER encoded name, as it would appear in the GeneralName structure defined in RFC 5280 and X.509. The encoded byte array should only contain the encoded value of the name, and should not include the tag associated with the name in the GeneralName structure. The ASN.1 definition of this structure appears below.
  GeneralName ::= CHOICE {
       otherName                       [0]     OtherName,
       rfc822Name                      [1]     IA5String,
       dNSName                         [2]     IA5String,
       x400Address                     [3]     ORAddress,
       directoryName                   [4]     Name,
       ediPartyName                    [5]     EDIPartyName,
       uniformResourceIdentifier       [6]     IA5String,
       iPAddress                       [7]     OCTET STRING,
       registeredID                    [8]     OBJECT IDENTIFIER}
 Note that the byte array supplied here is cloned to protect against subsequent modifications.
type - the name type (0-8, as listed above)name - a byte array containing the name in ASN.1 DER encoded formIOException - if a parsing error occurspublic void setNameConstraints(byte[] bytes)
                        throws IOException
X509Certificate
 must have subject and subject alternative names that
 meet the specified name constraints.
 The name constraints are specified as a byte array. This byte array should contain the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 definition of this structure appears below.
  NameConstraints ::= SEQUENCE {
       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
  GeneralSubtree ::= SEQUENCE {
       base                    GeneralName,
       minimum         [0]     BaseDistance DEFAULT 0,
       maximum         [1]     BaseDistance OPTIONAL }
  BaseDistance ::= INTEGER (0..MAX)
  GeneralName ::= CHOICE {
       otherName                       [0]     OtherName,
       rfc822Name                      [1]     IA5String,
       dNSName                         [2]     IA5String,
       x400Address                     [3]     ORAddress,
       directoryName                   [4]     Name,
       ediPartyName                    [5]     EDIPartyName,
       uniformResourceIdentifier       [6]     IA5String,
       iPAddress                       [7]     OCTET STRING,
       registeredID                    [8]     OBJECT IDENTIFIER}
 Note that the byte array supplied here is cloned to protect against subsequent modifications.
bytes - a byte array containing the ASN.1 DER encoding of
              a NameConstraints extension to be used for checking
              name constraints. Only the value of the extension is
              included, not the OID or criticality flag. Can be
              null,
              in which case no name constraints check will be performed.IOException - if a parsing error occursgetNameConstraints()public void setBasicConstraints(int minMaxPathLen)
X509Certificates must include a
 basicConstraints extension with
 a pathLen of at least this value. If the value is -2, only end-entity
 certificates are accepted. If the value is -1, no check is done.
 This constraint is useful when building a certification path forward (from the target toward the trust anchor. If a partial path has been built, any candidate certificate must have a maxPathLen value greater than or equal to the number of certificates in the partial path.
minMaxPathLen - the value for the basic constraints constraintIllegalArgumentException - if the value is less than -2getBasicConstraints()public void setPolicy(Set<String> certPolicySet) throws IOException
X509Certificate must
 include at least one of the specified policies in its certificate
 policies extension. If certPolicySet is empty, then the
 X509Certificate must include at least some specified policy
 in its certificate policies extension. If certPolicySet is
 null, no policy check will be performed.
 
 Note that the Set is cloned to protect against
 subsequent modifications.
certPolicySet - a Set of certificate policy OIDs in
                      string format (or null). Each OID is
                      represented by a set of nonnegative integers
                    separated by periods.IOException - if a parsing error occurs on the OID such as
 the first component is not 0, 1 or 2 or the second component is
 greater than 39.getPolicy()public void setPathToNames(Collection<List<?>> names) throws IOException
X509Certificate must
 not include name constraints that would prohibit building a
 path to the specified names.
 
 This method allows the caller to specify, with a single method call,
 the complete set of names which the X509Certificates's
 name constraints must permit. The specified value replaces
 the previous value for the pathToNames criterion.
 
This constraint is useful when building a certification path forward (from the target toward the trust anchor. If a partial path has been built, any candidate certificate must not include name constraints that would prohibit building a path to any of the names in the partial path.
 The names parameter (if not null) is a
 Collection with one
 entry for each name to be included in the pathToNames
 criterion. Each entry is a List whose first entry is an
 Integer (the name type, 0-8) and whose second
 entry is a String or a byte array (the name, in
 string or ASN.1 DER encoded form, respectively).
 There can be multiple names of the same type. If null
 is supplied as the value for this argument, no
 pathToNames check will be performed.
 
 Each name in the Collection
 may be specified either as a String or as an ASN.1 encoded
 byte array. For more details about the formats used, see
 addPathToName(int type, String name) and
 addPathToName(int type, byte [] name).
 
 Note: for distinguished names, specify the byte
 array form instead of the String form. See the note in
 addPathToName(int, String) for more information.
 
 Note that the names parameter can contain duplicate
 names (same name and name type), but they may be removed from the
 Collection of names returned by the
 getPathToNames method.
 
 Note that a deep copy is performed on the Collection to
 protect against subsequent modifications.
names - a Collection with one entry per name
              (or null)IOException - if a parsing error occursgetPathToNames()public void addPathToName(int type,
                          String name)
                   throws IOException
X509Certificate
 must not include name constraints that would prohibit building a
 path to the specified name.
 
 This method allows the caller to add a name to the set of names which
 the X509Certificates's name constraints must permit.
 The specified name is added to any previous value for the
 pathToNames criterion.  If the name is a duplicate, it may be ignored.
 
 The name is provided in string format. RFC 822, DNS, and URI names
 use the well-established string formats for those types (subject to
 the restrictions included in RFC 5280). IPv4 address names are
 supplied using dotted quad notation. OID address names are represented
 as a series of nonnegative integers separated by periods. And
 directory names (distinguished names) are supplied in RFC 2253 format.
 No standard string format is defined for otherNames, X.400 names,
 EDI party names, IPv6 address names, or any other type of names. They
 should be specified using the
 addPathToName(int type, byte [] name) method.
 
Note: for distinguished names, use addPathToName(int, byte[]) instead. This method should not be relied on as it can fail to match some certificates because of a loss of encoding information in the RFC 2253 String form of some distinguished names.
type - the name type (0-8, as specified in
             RFC 5280, section 4.2.1.6)name - the name in string formIOException - if a parsing error occurspublic void addPathToName(int type,
                          byte[] name)
                   throws IOException
X509Certificate
 must not include name constraints that would prohibit building a
 path to the specified name.
 
 This method allows the caller to add a name to the set of names which
 the X509Certificates's name constraints must permit.
 The specified name is added to any previous value for the
 pathToNames criterion. If the name is a duplicate, it may be ignored.
 
 The name is provided as a byte array. This byte array should contain
 the DER encoded name, as it would appear in the GeneralName structure
 defined in RFC 5280 and X.509. The ASN.1 definition of this structure
 appears in the documentation for
 addSubjectAlternativeName(int type, byte [] name).
 
Note that the byte array supplied here is cloned to protect against subsequent modifications.
type - the name type (0-8, as specified in
             RFC 5280, section 4.2.1.6)name - a byte array containing the name in ASN.1 DER encoded formIOException - if a parsing error occurspublic X509Certificate getCertificate()
X509Certificate must be equal to the
 X509Certificate passed to the match method.
 If null, this check is not applied.X509Certificate to match (or null)setCertificate(java.security.cert.X509Certificate)public BigInteger getSerialNumber()
X509Certificate. If null, any certificate
 serial number will do.null)setSerialNumber(java.math.BigInteger)public X500Principal getIssuer()
X500Principal. This
 distinguished name must match the issuer distinguished name in the
 X509Certificate. If null, the issuer criterion
 is disabled and any issuer distinguished name will do.null)public String getIssuerAsString()
 Returns the issuer criterion as a String. This
 distinguished name must match the issuer distinguished name in the
 X509Certificate. If null, the issuer criterion
 is disabled and any issuer distinguished name will do.
 
 If the value returned is not null, it is a
 distinguished name, in RFC 2253 format.
null)public byte[] getIssuerAsBytes()
                        throws IOException
X509Certificate. If null, the issuer criterion
 is disabled and any issuer distinguished name will do.
 
 If the value returned is not null, it is a byte
 array containing a single DER encoded distinguished name, as defined in
 X.501. The ASN.1 notation for this structure is supplied in the
 documentation for
 setIssuer(byte [] issuerDN).
 
Note that the byte array returned is cloned to protect against subsequent modifications.
null)IOException - if an encoding error occurspublic X500Principal getSubject()
X500Principal. This
 distinguished name must match the subject distinguished name in the
 X509Certificate. If null, the subject criterion
 is disabled and any subject distinguished name will do.null)public String getSubjectAsString()
 Returns the subject criterion as a String. This
 distinguished name must match the subject distinguished name in the
 X509Certificate. If null, the subject criterion
 is disabled and any subject distinguished name will do.
 
 If the value returned is not null, it is a
 distinguished name, in RFC 2253 format.
null)public byte[] getSubjectAsBytes()
                         throws IOException
X509Certificate. If null, the subject criterion
 is disabled and any subject distinguished name will do.
 
 If the value returned is not null, it is a byte
 array containing a single DER encoded distinguished name, as defined in
 X.501. The ASN.1 notation for this structure is supplied in the
 documentation for
 setSubject(byte [] subjectDN).
 
Note that the byte array returned is cloned to protect against subsequent modifications.
null)IOException - if an encoding error occurspublic byte[] getSubjectKeyIdentifier()
X509Certificate must contain a SubjectKeyIdentifier
 extension with the specified value. If null, no
 subjectKeyIdentifier check will be done.
 Note that the byte array returned is cloned to protect against subsequent modifications.
null)setSubjectKeyIdentifier(byte[])public byte[] getAuthorityKeyIdentifier()
X509Certificate must contain a AuthorityKeyIdentifier
 extension with the specified value. If null, no
 authorityKeyIdentifier check will be done.
 Note that the byte array returned is cloned to protect against subsequent modifications.
null)setAuthorityKeyIdentifier(byte[])public Date getCertificateValid()
X509Certificate. If null, no certificateValid
 check will be done.
 
 Note that the Date returned is cloned to protect against
 subsequent modifications.
Date to check (or null)setCertificateValid(java.util.Date)public Date getPrivateKeyValid()
X509Certificate. If null, no privateKeyValid
 check will be done.
 
 Note that the Date returned is cloned to protect against
 subsequent modifications.
Date to check (or null)setPrivateKeyValid(java.util.Date)public String getSubjectPublicKeyAlgID()
X509Certificate must contain a subject public key
 with the specified algorithm. If null, no
 subjectPublicKeyAlgID check will be done.null). An OID is represented by a set of
         nonnegative integers separated by periods.setSubjectPublicKeyAlgID(java.lang.String)public PublicKey getSubjectPublicKey()
X509Certificate must contain the specified subject
 public key. If null, no subjectPublicKey check will be done.null)setSubjectPublicKey(java.security.PublicKey)public boolean[] getKeyUsage()
X509Certificate
 must allow the specified keyUsage values. If null, no keyUsage
 check will be done.
 Note that the boolean array returned is cloned to protect against subsequent modifications.
X509Certificate.getKeyUsage().
                 Or null.setKeyUsage(boolean[])public Set<String> getExtendedKeyUsage()
X509Certificate
 must allow the specified key purposes in its extended key usage
 extension. If the keyPurposeSet returned is empty or
 null, no extendedKeyUsage check will be done. Note that an
 X509Certificate that has no extendedKeyUsage extension
 implicitly allows all key purposes.Set of key purpose OIDs in string
 format (or null)setExtendedKeyUsage(java.util.Set<java.lang.String>)public boolean getMatchAllSubjectAltNames()
X509Certificate must contain all
 or at least one of the subjectAlternativeNames
 specified in the setSubjectAlternativeNames or addSubjectAlternativeName methods. If true,
 the X509Certificate must contain all of the
 specified subject alternative names. If false, the
 X509Certificate must contain at least one of the
 specified subject alternative names.true if the flag is enabled;
 false if the flag is disabled. The flag is
 true by default.setMatchAllSubjectAltNames(boolean)public Collection<List<?>> getSubjectAlternativeNames()
X509Certificate must contain all or at least one
 of the specified subjectAlternativeNames, depending on the value
 of the matchAllNames flag (see getMatchAllSubjectAltNames). If the value returned is
 null, no subjectAlternativeNames check will be performed.
 
 If the value returned is not null, it is a
 Collection with
 one entry for each name to be included in the subject alternative name
 criterion. Each entry is a List whose first entry is an
 Integer (the name type, 0-8) and whose second
 entry is a String or a byte array (the name, in
 string or ASN.1 DER encoded form, respectively).
 There can be multiple names of the same type.  Note that the
 Collection returned may contain duplicate names (same name
 and name type).
 
 Each subject alternative name in the Collection
 may be specified either as a String or as an ASN.1 encoded
 byte array. For more details about the formats used, see
 addSubjectAlternativeName(int type, String name) and
 addSubjectAlternativeName(int type, byte [] name).
 
 Note that a deep copy is performed on the Collection to
 protect against subsequent modifications.
Collection of names (or null)setSubjectAlternativeNames(java.util.Collection<java.util.List<?>>)public byte[] getNameConstraints()
X509Certificate
 must have subject and subject alternative names that
 meet the specified name constraints.
 
 The name constraints are returned as a byte array. This byte array
 contains the DER encoded form of the name constraints, as they
 would appear in the NameConstraints structure defined in RFC 5280
 and X.509. The ASN.1 notation for this structure is supplied in the
 documentation for
 setNameConstraints(byte [] bytes).
 
Note that the byte array returned is cloned to protect against subsequent modifications.
null if no name constraints check will be performed.setNameConstraints(byte[])public int getBasicConstraints()
X509Certificates must include a
 basicConstraints extension with a pathLen of at least this value.
 If the value is -2, only end-entity certificates are accepted. If
 the value is -1, no basicConstraints check is done.setBasicConstraints(int)public Set<String> getPolicy()
X509Certificate must
 include at least one of the specified policies in its certificate policies
 extension. If the Set returned is empty, then the
 X509Certificate must include at least some specified policy
 in its certificate policies extension. If the Set returned is
 null, no policy check will be performed.Set of certificate policy OIDs in
         string format (or null)setPolicy(java.util.Set<java.lang.String>)public Collection<List<?>> getPathToNames()
X509Certificate must not include name constraints that would
 prohibit building a path to the specified names. If the value
 returned is null, no pathToNames check will be performed.
 
 If the value returned is not null, it is a
 Collection with one
 entry for each name to be included in the pathToNames
 criterion. Each entry is a List whose first entry is an
 Integer (the name type, 0-8) and whose second
 entry is a String or a byte array (the name, in
 string or ASN.1 DER encoded form, respectively).
 There can be multiple names of the same type. Note that the
 Collection returned may contain duplicate names (same
 name and name type).
 
 Each name in the Collection
 may be specified either as a String or as an ASN.1 encoded
 byte array. For more details about the formats used, see
 addPathToName(int type, String name) and
 addPathToName(int type, byte [] name).
 
 Note that a deep copy is performed on the Collection to
 protect against subsequent modifications.
Collection of names (or null)setPathToNames(java.util.Collection<java.util.List<?>>)public String toString()
CertSelector.public boolean match(Certificate cert)
Certificate should be selected.match in interface CertSelectorcert - the Certificate to be checkedtrue if the Certificate should be
         selected, false otherwise Submit a bug or feature 
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
 Copyright © 1993, 2025, Oracle and/or its affiliates.  All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.