1 /*
2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3 * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
4 *
5 *
6 *
7 *
8 *
9 *
10 *
11 *
12 *
13 *
14 *
15 *
16 *
17 *
18 *
19 *
20 *
21 *
22 *
23 *
24 */
25
26 package java.security.cert;
27
28 import java.math.BigInteger;
29 import java.security.*;
30 import java.util.Collection;
31 import java.util.Date;
32 import java.util.List;
33 import javax.security.auth.x500.X500Principal;
34
35 import sun.security.x509.X509CertImpl;
36
37 /**
38 * <p>
39 * Abstract class for X.509 certificates. This provides a standard
40 * way to access all the attributes of an X.509 certificate.
41 * <p>
42 * In June of 1996, the basic X.509 v3 format was completed by
43 * ISO/IEC and ANSI X9, which is described below in ASN.1:
44 * <pre>
45 * Certificate ::= SEQUENCE {
46 * tbsCertificate TBSCertificate,
47 * signatureAlgorithm AlgorithmIdentifier,
48 * signature BIT STRING }
49 * </pre>
50 * <p>
51 * These certificates are widely used to support authentication and
52 * other functionality in Internet security systems. Common applications
53 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
54 * code signing for trusted software distribution, and Secure Electronic
55 * Transactions (SET).
56 * <p>
57 * These certificates are managed and vouched for by <em>Certificate
58 * Authorities</em> (CAs). CAs are services which create certificates by
59 * placing data in the X.509 standard format and then digitally signing
60 * that data. CAs act as trusted third parties, making introductions
61 * between principals who have no direct knowledge of each other.
62 * CA certificates are either signed by themselves, or by some other
63 * CA such as a "root" CA.
64 * <p>
65 * More information can be found in
66 * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
67 * Public Key Infrastructure Certificate and CRL Profile</a>.
68 * <p>
69 * The ASN.1 definition of {@code tbsCertificate} is:
70 * <pre>
71 * TBSCertificate ::= SEQUENCE {
72 * version [0] EXPLICIT Version DEFAULT v1,
73 * serialNumber CertificateSerialNumber,
74 * signature AlgorithmIdentifier,
75 * issuer Name,
76 * validity Validity,
77 * subject Name,
78 * subjectPublicKeyInfo SubjectPublicKeyInfo,
79 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
80 * -- If present, version must be v2 or v3
81 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
82 * -- If present, version must be v2 or v3
83 * extensions [3] EXPLICIT Extensions OPTIONAL
84 * -- If present, version must be v3
85 * }
86 * </pre>
87 * <p>
88 * Certificates are instantiated using a certificate factory. The following is
89 * an example of how to instantiate an X.509 certificate:
90 * <pre>
91 * try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
92 * CertificateFactory cf = CertificateFactory.getInstance("X.509");
93 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
94 * }
95 * </pre>
96 *
97 * @author Hemma Prafullchandra
98 *
99 *
100 * @see Certificate
101 * @see CertificateFactory
102 * @see X509Extension
103 */
104
105 public abstract class X509Certificate extends Certificate
106 implements X509Extension {
107
108 private static final long serialVersionUID = -2491127588187038216L;
109
110 private transient X500Principal subjectX500Principal, issuerX500Principal;
111
112 /**
113 * Constructor for X.509 certificates.
114 */
115 protected X509Certificate() {
116 super("X.509");
117 }
118
119 /**
120 * Checks that the certificate is currently valid. It is if
121 * the current date and time are within the validity period given in the
122 * certificate.
123 * <p>
124 * The validity period consists of two date/time values:
125 * the first and last dates (and times) on which the certificate
126 * is valid. It is defined in
127 * ASN.1 as:
128 * <pre>
129 * validity Validity
130 *
131 * Validity ::= SEQUENCE {
132 * notBefore CertificateValidityDate,
133 * notAfter CertificateValidityDate }
134 *
135 * CertificateValidityDate ::= CHOICE {
136 * utcTime UTCTime,
137 * generalTime GeneralizedTime }
138 * </pre>
139 *
140 * @exception CertificateExpiredException if the certificate has expired.
141 * @exception CertificateNotYetValidException if the certificate is not
142 * yet valid.
143 */
144 public abstract void checkValidity()
145 throws CertificateExpiredException, CertificateNotYetValidException;
146
147 /**
148 * Checks that the given date is within the certificate's
149 * validity period. In other words, this determines whether the
150 * certificate would be valid at the given date/time.
151 *
152 * @param date the Date to check against to see if this certificate
153 * is valid at that date/time.
154 *
155 * @exception CertificateExpiredException if the certificate has expired
156 * with respect to the {@code date} supplied.
157 * @exception CertificateNotYetValidException if the certificate is not
158 * yet valid with respect to the {@code date} supplied.
159 *
160 * @see #checkValidity()
161 */
162 public abstract void checkValidity(Date date)
163 throws CertificateExpiredException, CertificateNotYetValidException;
164
165 /**
166 * Gets the {@code version} (version number) value from the
167 * certificate.
168 * The ASN.1 definition for this is:
169 * <pre>
170 * version [0] EXPLICIT Version DEFAULT v1
171 *
172 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
173 * </pre>
174 * @return the version number, i.e. 1, 2 or 3.
175 */
176 public abstract int getVersion();
177
178 /**
179 * Gets the {@code serialNumber} value from the certificate.
180 * The serial number is an integer assigned by the certification
181 * authority to each certificate. It must be unique for each
182 * certificate issued by a given CA (i.e., the issuer name and
183 * serial number identify a unique certificate).
184 * The ASN.1 definition for this is:
185 * <pre>
186 * serialNumber CertificateSerialNumber
187 *
188 * CertificateSerialNumber ::= INTEGER
189 * </pre>
190 *
191 * @return the serial number.
192 */
193 public abstract BigInteger getSerialNumber();
194
195 /**
196 * <strong>Denigrated</strong>, replaced by {@linkplain
197 * #getIssuerX500Principal()}. This method returns the {@code issuer}
198 * as an implementation specific Principal object, which should not be
199 * relied upon by portable code.
200 *
201 * <p>
202 * Gets the {@code issuer} (issuer distinguished name) value from
203 * the certificate. The issuer name identifies the entity that signed (and
204 * issued) the certificate.
205 *
206 * <p>The issuer name field contains an
207 * X.500 distinguished name (DN).
208 * The ASN.1 definition for this is:
209 * <pre>
210 * issuer Name
211 *
212 * Name ::= CHOICE { RDNSequence }
213 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
214 * RelativeDistinguishedName ::=
215 * SET OF AttributeValueAssertion
216 *
217 * AttributeValueAssertion ::= SEQUENCE {
218 * AttributeType,
219 * AttributeValue }
220 * AttributeType ::= OBJECT IDENTIFIER
221 * AttributeValue ::= ANY
222 * </pre>
223 * The {@code Name} describes a hierarchical name composed of
224 * attributes,
225 * such as country name, and corresponding values, such as US.
226 * The type of the {@code AttributeValue} component is determined by
227 * the {@code AttributeType}; in general it will be a
228 * {@code directoryString}. A {@code directoryString} is usually
229 * one of {@code PrintableString},
230 * {@code TeletexString} or {@code UniversalString}.
231 *
232 * @return a Principal whose name is the issuer distinguished name.
233 */
234 public abstract Principal getIssuerDN();
235
236 /**
237 * Returns the issuer (issuer distinguished name) value from the
238 * certificate as an {@code X500Principal}.
239 * <p>
240 * It is recommended that subclasses override this method.
241 *
242 * @return an {@code X500Principal} representing the issuer
243 * distinguished name
244 * @since 1.4
245 */
246 public X500Principal getIssuerX500Principal() {
247 if (issuerX500Principal == null) {
248 issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
249 }
250 return issuerX500Principal;
251 }
252
253 /**
254 * <strong>Denigrated</strong>, replaced by {@linkplain
255 * #getSubjectX500Principal()}. This method returns the {@code subject}
256 * as an implementation specific Principal object, which should not be
257 * relied upon by portable code.
258 *
259 * <p>
260 * Gets the {@code subject} (subject distinguished name) value
261 * from the certificate. If the {@code subject} value is empty,
262 * then the {@code getName()} method of the returned
263 * {@code Principal} object returns an empty string ("").
264 *
265 * <p> The ASN.1 definition for this is:
266 * <pre>
267 * subject Name
268 * </pre>
269 *
270 * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
271 * and other relevant definitions.
272 *
273 * @return a Principal whose name is the subject name.
274 */
275 public abstract Principal getSubjectDN();
276
277 /**
278 * Returns the subject (subject distinguished name) value from the
279 * certificate as an {@code X500Principal}. If the subject value
280 * is empty, then the {@code getName()} method of the returned
281 * {@code X500Principal} object returns an empty string ("").
282 * <p>
283 * It is recommended that subclasses override this method.
284 *
285 * @return an {@code X500Principal} representing the subject
286 * distinguished name
287 * @since 1.4
288 */
289 public X500Principal getSubjectX500Principal() {
290 if (subjectX500Principal == null) {
291 subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
292 }
293 return subjectX500Principal;
294 }
295
296 /**
297 * Gets the {@code notBefore} date from the validity period of
298 * the certificate.
299 * The relevant ASN.1 definitions are:
300 * <pre>
301 * validity Validity
302 *
303 * Validity ::= SEQUENCE {
304 * notBefore CertificateValidityDate,
305 * notAfter CertificateValidityDate }
306 *
307 * CertificateValidityDate ::= CHOICE {
308 * utcTime UTCTime,
309 * generalTime GeneralizedTime }
310 * </pre>
311 *
312 * @return the start date of the validity period.
313 * @see #checkValidity
314 */
315 public abstract Date getNotBefore();
316
317 /**
318 * Gets the {@code notAfter} date from the validity period of
319 * the certificate. See {@link #getNotBefore() getNotBefore}
320 * for relevant ASN.1 definitions.
321 *
322 * @return the end date of the validity period.
323 * @see #checkValidity
324 */
325 public abstract Date getNotAfter();
326
327 /**
328 * Gets the DER-encoded certificate information, the
329 * {@code tbsCertificate} from this certificate.
330 * This can be used to verify the signature independently.
331 *
332 * @return the DER-encoded certificate information.
333 * @exception CertificateEncodingException if an encoding error occurs.
334 */
335 public abstract byte[] getTBSCertificate()
336 throws CertificateEncodingException;
337
338 /**
339 * Gets the {@code signature} value (the raw signature bits) from
340 * the certificate.
341 * The ASN.1 definition for this is:
342 * <pre>
343 * signature BIT STRING
344 * </pre>
345 *
346 * @return the signature.
347 */
348 public abstract byte[] getSignature();
349
350 /**
351 * Gets the signature algorithm name for the certificate
352 * signature algorithm. An example is the string "SHA256withRSA".
353 * The ASN.1 definition for this is:
354 * <pre>
355 * signatureAlgorithm AlgorithmIdentifier
356 *
357 * AlgorithmIdentifier ::= SEQUENCE {
358 * algorithm OBJECT IDENTIFIER,
359 * parameters ANY DEFINED BY algorithm OPTIONAL }
360 * -- contains a value of the type
361 * -- registered for use with the
362 * -- algorithm object identifier value
363 * </pre>
364 *
365 * <p>The algorithm name is determined from the {@code algorithm}
366 * OID string.
367 *
368 * @return the signature algorithm name.
369 */
370 public abstract String getSigAlgName();
371
372 /**
373 * Gets the signature algorithm OID string from the certificate.
374 * An OID is represented by a set of nonnegative whole numbers separated
375 * by periods.
376 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
377 * with DSA signature algorithm defined in
378 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
379 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
380 * and CRL Profile</a>.
381 *
382 * <p>See {@link #getSigAlgName() getSigAlgName} for
383 * relevant ASN.1 definitions.
384 *
385 * @return the signature algorithm OID string.
386 */
387 public abstract String getSigAlgOID();
388
389 /**
390 * Gets the DER-encoded signature algorithm parameters from this
391 * certificate's signature algorithm. In most cases, the signature
392 * algorithm parameters are null; the parameters are usually
393 * supplied with the certificate's public key.
394 * If access to individual parameter values is needed then use
395 * {@link java.security.AlgorithmParameters AlgorithmParameters}
396 * and instantiate with the name returned by
397 * {@link #getSigAlgName() getSigAlgName}.
398 *
399 * <p>See {@link #getSigAlgName() getSigAlgName} for
400 * relevant ASN.1 definitions.
401 *
402 * @return the DER-encoded signature algorithm parameters, or
403 * null if no parameters are present.
404 */
405 public abstract byte[] getSigAlgParams();
406
407 /**
408 * Gets the {@code issuerUniqueID} value from the certificate.
409 * The issuer unique identifier is present in the certificate
410 * to handle the possibility of reuse of issuer names over time.
411 * RFC 3280 recommends that names not be reused and that
412 * conforming certificates not make use of unique identifiers.
413 * Applications conforming to that profile should be capable of
414 * parsing unique identifiers and making comparisons.
415 *
416 * <p>The ASN.1 definition for this is:
417 * <pre>
418 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL
419 *
420 * UniqueIdentifier ::= BIT STRING
421 * </pre>
422 *
423 * @return the issuer unique identifier or null if it is not
424 * present in the certificate.
425 */
426 public abstract boolean[] getIssuerUniqueID();
427
428 /**
429 * Gets the {@code subjectUniqueID} value from the certificate.
430 *
431 * <p>The ASN.1 definition for this is:
432 * <pre>
433 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
434 *
435 * UniqueIdentifier ::= BIT STRING
436 * </pre>
437 *
438 * @return the subject unique identifier or null if it is not
439 * present in the certificate.
440 */
441 public abstract boolean[] getSubjectUniqueID();
442
443 /**
444 * Gets a boolean array representing bits of
445 * the {@code KeyUsage} extension, (OID = 2.5.29.15).
446 * The key usage extension defines the purpose (e.g., encipherment,
447 * signature, certificate signing) of the key contained in the
448 * certificate.
449 * The ASN.1 definition for this is:
450 * <pre>
451 * KeyUsage ::= BIT STRING {
452 * digitalSignature (0),
453 * nonRepudiation (1),
454 * keyEncipherment (2),
455 * dataEncipherment (3),
456 * keyAgreement (4),
457 * keyCertSign (5),
458 * cRLSign (6),
459 * encipherOnly (7),
460 * decipherOnly (8) }
461 * </pre>
462 * RFC 3280 recommends that when used, this be marked
463 * as a critical extension.
464 *
465 * @return the KeyUsage extension of this certificate, represented as
466 * an array of booleans. The order of KeyUsage values in the array is
467 * the same as in the above ASN.1 definition. The array will contain a
468 * value for each KeyUsage defined above. If the KeyUsage list encoded
469 * in the certificate is longer than the above list, it will not be
470 * truncated. Returns null if this certificate does not
471 * contain a KeyUsage extension.
472 */
473 public abstract boolean[] getKeyUsage();
474
475 /**
476 * Gets an unmodifiable list of Strings representing the OBJECT
477 * IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
478 * extended key usage extension, (OID = 2.5.29.37). It indicates
479 * one or more purposes for which the certified public key may be
480 * used, in addition to or in place of the basic purposes
481 * indicated in the key usage extension field. The ASN.1
482 * definition for this is:
483 * <pre>
484 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
485 *
486 * KeyPurposeId ::= OBJECT IDENTIFIER
487 * </pre>
488 *
489 * Key purposes may be defined by any organization with a
490 * need. Object identifiers used to identify key purposes shall be
491 * assigned in accordance with IANA or ITU-T Rec. X.660 |
492 * ISO/IEC/ITU 9834-1.
493 * <p>
494 * This method was added to version 1.4 of the Java 2 Platform Standard
495 * Edition. In order to maintain backwards compatibility with existing
496 * service providers, this method is not {@code abstract}
497 * and it provides a default implementation. Subclasses
498 * should override this method with a correct implementation.
499 *
500 * @return the ExtendedKeyUsage extension of this certificate,
501 * as an unmodifiable list of object identifiers represented
502 * as Strings. Returns null if this certificate does not
503 * contain an ExtendedKeyUsage extension.
504 * @throws CertificateParsingException if the extension cannot be decoded
505 * @since 1.4
506 */
507 public List<String> getExtendedKeyUsage() throws CertificateParsingException {
508 return X509CertImpl.getExtendedKeyUsage(this);
509 }
510
511 /**
512 * Gets the certificate constraints path length from the
513 * critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
514 * <p>
515 * The basic constraints extension identifies whether the subject
516 * of the certificate is a Certificate Authority (CA) and
517 * how deep a certification path may exist through that CA. The
518 * {@code pathLenConstraint} field (see below) is meaningful
519 * only if {@code cA} is set to TRUE. In this case, it gives the
520 * maximum number of CA certificates that may follow this certificate in a
521 * certification path. A value of zero indicates that only an end-entity
522 * certificate may follow in the path.
523 * <p>
524 * The ASN.1 definition for this is:
525 * <pre>
526 * BasicConstraints ::= SEQUENCE {
527 * cA BOOLEAN DEFAULT FALSE,
528 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
529 * </pre>
530 *
531 * @return the value of {@code pathLenConstraint} if the
532 * BasicConstraints extension is present in the certificate and the
533 * subject of the certificate is a CA, otherwise -1.
534 * If the subject of the certificate is a CA and
535 * {@code pathLenConstraint} does not appear,
536 * {@code Integer.MAX_VALUE} is returned to indicate that there is no
537 * limit to the allowed length of the certification path.
538 */
539 public abstract int getBasicConstraints();
540
541 /**
542 * Gets an immutable collection of subject alternative names from the
543 * {@code SubjectAltName} extension, (OID = 2.5.29.17).
544 * <p>
545 * The ASN.1 definition of the {@code SubjectAltName} extension is:
546 * <pre>
547 * SubjectAltName ::= GeneralNames
548 *
549 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
550 *
551 * GeneralName ::= CHOICE {
552 * otherName [0] OtherName,
553 * rfc822Name [1] IA5String,
554 * dNSName [2] IA5String,
555 * x400Address [3] ORAddress,
556 * directoryName [4] Name,
557 * ediPartyName [5] EDIPartyName,
558 * uniformResourceIdentifier [6] IA5String,
559 * iPAddress [7] OCTET STRING,
560 * registeredID [8] OBJECT IDENTIFIER}
561 * </pre>
562 * <p>
563 * If this certificate does not contain a {@code SubjectAltName}
564 * extension, {@code null} is returned. Otherwise, a
565 * {@code Collection} is returned with an entry representing each
566 * {@code GeneralName} included in the extension. Each entry is a
567 * {@code List} whose first entry is an {@code Integer}
568 * (the name type, 0-8) and whose second entry is a {@code String}
569 * or a byte array (the name, in string or ASN.1 DER encoded form,
570 * respectively).
571 * <p>
572 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
573 * names are returned as {@code String}s,
574 * using the well-established string formats for those types (subject to
575 * the restrictions included in RFC 3280). IPv4 address names are
576 * returned using dotted quad notation. IPv6 address names are returned
577 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
578 * representing the eight 16-bit pieces of the address. OID names are
579 * returned as {@code String}s represented as a series of nonnegative
580 * integers separated by periods. And directory names (distinguished names)
581 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
582 * RFC 2253</a> string format. No standard string format is
583 * defined for otherNames, X.400 names, EDI party names, or any
584 * other type of names. They are returned as byte arrays
585 * containing the ASN.1 DER encoded form of the name.
586 * <p>
587 * Note that the {@code Collection} returned may contain more
588 * than one name of the same type. Also, note that the returned
589 * {@code Collection} is immutable and any entries containing byte
590 * arrays are cloned to protect against subsequent modifications.
591 * <p>
592 * This method was added to version 1.4 of the Java 2 Platform Standard
593 * Edition. In order to maintain backwards compatibility with existing
594 * service providers, this method is not {@code abstract}
595 * and it provides a default implementation. Subclasses
596 * should override this method with a correct implementation.
597 *
598 * @return an immutable {@code Collection} of subject alternative
599 * names (or {@code null})
600 * @throws CertificateParsingException if the extension cannot be decoded
601 * @since 1.4
602 */
603 public Collection<List<?>> getSubjectAlternativeNames()
604 throws CertificateParsingException {
605 return X509CertImpl.getSubjectAlternativeNames(this);
606 }
607
608 /**
609 * Gets an immutable collection of issuer alternative names from the
610 * {@code IssuerAltName} extension, (OID = 2.5.29.18).
611 * <p>
612 * The ASN.1 definition of the {@code IssuerAltName} extension is:
613 * <pre>
614 * IssuerAltName ::= GeneralNames
615 * </pre>
616 * The ASN.1 definition of {@code GeneralNames} is defined
617 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
618 * <p>
619 * If this certificate does not contain an {@code IssuerAltName}
620 * extension, {@code null} is returned. Otherwise, a
621 * {@code Collection} is returned with an entry representing each
622 * {@code GeneralName} included in the extension. Each entry is a
623 * {@code List} whose first entry is an {@code Integer}
624 * (the name type, 0-8) and whose second entry is a {@code String}
625 * or a byte array (the name, in string or ASN.1 DER encoded form,
626 * respectively). For more details about the formats used for each
627 * name type, see the {@code getSubjectAlternativeNames} method.
628 * <p>
629 * Note that the {@code Collection} returned may contain more
630 * than one name of the same type. Also, note that the returned
631 * {@code Collection} is immutable and any entries containing byte
632 * arrays are cloned to protect against subsequent modifications.
633 * <p>
634 * This method was added to version 1.4 of the Java 2 Platform Standard
635 * Edition. In order to maintain backwards compatibility with existing
636 * service providers, this method is not {@code abstract}
637 * and it provides a default implementation. Subclasses
638 * should override this method with a correct implementation.
639 *
640 * @return an immutable {@code Collection} of issuer alternative
641 * names (or {@code null})
642 * @throws CertificateParsingException if the extension cannot be decoded
643 * @since 1.4
644 */
645 public Collection<List<?>> getIssuerAlternativeNames()
646 throws CertificateParsingException {
647 return X509CertImpl.getIssuerAlternativeNames(this);
648 }
649
650 /**
651 * Verifies that this certificate was signed using the
652 * private key that corresponds to the specified public key.
653 * This method uses the signature verification engine
654 * supplied by the specified provider. Note that the specified
655 * Provider object does not have to be registered in the provider list.
656 *
657 * This method was added to version 1.8 of the Java Platform Standard
658 * Edition. In order to maintain backwards compatibility with existing
659 * service providers, this method is not {@code abstract}
660 * and it provides a default implementation.
661 *
662 * @param key the PublicKey used to carry out the verification.
663 * @param sigProvider the signature provider.
664 *
665 * @exception NoSuchAlgorithmException on unsupported signature
666 * algorithms.
667 * @exception InvalidKeyException on incorrect key.
668 * @exception SignatureException on signature errors.
669 * @exception CertificateException on encoding errors.
670 * @exception UnsupportedOperationException if the method is not supported
671 * @since 1.8
672 */
673 public void verify(PublicKey key, Provider sigProvider)
674 throws CertificateException, NoSuchAlgorithmException,
675 InvalidKeyException, SignatureException {
676 X509CertImpl.verify(this, key, sigProvider);
677 }
678 }
679