* The Private Key Usage Period extension allows the certificate issuer to specify a different validity period for the * private key than the certificate. This extension is intended for use with digital signature keys. This extension * consists of two optional components notBefore and notAfter. The private key associated with the certificate should * not be used to sign objects before or after the times specified by the two components, respectively. * *
* PrivateKeyUsagePeriod ::= SEQUENCE {
* notBefore [0] GeneralizedTime OPTIONAL,
* notAfter [1] GeneralizedTime OPTIONAL }
*
*
* @author Amit Kapoor
* @author Hemma Prafullchandra
* @version 1.12
* @see Extension
* @see CertAttrSet
*/
public class PrivateKeyUsageExtension extends Extension
implements CertAttrSet {
/**
*
*/
private static final long serialVersionUID = -7623695233957629936L;
/**
* Identifier for this attribute, to be used with the
* get, set, delete methods of Certificate, x509 type.
*/
public static final String IDENT = "x509.info.extensions.PrivateKeyUsage";
/**
* Sub attributes name for this CertAttrSet.
*/
public static final String NAME = "PrivateKeyUsage";
public static final String NOT_BEFORE = "not_before";
public static final String NOT_AFTER = "not_after";
// Private data members
private static final byte TAG_BEFORE = 0;
private static final byte TAG_AFTER = 1;
private Date notBefore;
private Date notAfter;
// Encode this extension value.
private void encodeThis() throws IOException {
DerOutputStream seq = new DerOutputStream();
DerOutputStream tagged = new DerOutputStream();
if (notBefore != null) {
DerOutputStream tmp = new DerOutputStream();
tmp.putGeneralizedTime(notBefore);
tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT,
false, TAG_BEFORE), tmp);
}
if (notAfter != null) {
DerOutputStream tmp = new DerOutputStream();
tmp.putGeneralizedTime(notAfter);
tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT,
false, TAG_AFTER), tmp);
}
seq.write(DerValue.tag_Sequence, tagged);
extensionValue = seq.toByteArray();
}
/**
* The default constructor for PrivateKeyUsageExtension.
*
* @param notBefore the date/time before which the private key
* should not be used.
* @param notAfter the date/time after which the private key
* should not be used.
*/
public PrivateKeyUsageExtension(Date notBefore, Date notAfter)
throws IOException {
this.notBefore = notBefore;
this.notAfter = notAfter;
this.extensionId = PKIXExtensions.PrivateKeyUsage_Id;
this.critical = false;
encodeThis();
}
/**
* Create the extension from the passed DER encoded value.
*
* @param critical true if the extension is to be treated as critical.
* @param value Array of DER encoded bytes of the actual value.
*
* @exception CertificateException on certificate parsing errors.
* @exception IOException on error.
*/
public PrivateKeyUsageExtension(Boolean critical, Object value)
throws CertificateException, IOException {
this.extensionId = PKIXExtensions.PrivateKeyUsage_Id;
this.critical = critical.booleanValue();
if (!(value instanceof byte[]))
throw new CertificateException("Illegal argument type");
int len = Array.getLength(value);
byte[] extValue = new byte[len];
System.arraycopy(value, 0, extValue, 0, len);
this.extensionValue = extValue;
DerInputStream str = new DerInputStream(extValue);
DerValue[] seq = str.getSequence(2);
// NB. this is always encoded with the IMPLICIT tag
// The checks only make sense if we assume implicit tagging,
// with explicit tagging the form is always constructed.
for (int i = 0; i < seq.length; i++) {
DerValue opt = seq[i];
if (opt.isContextSpecific(TAG_BEFORE) &&
!opt.isConstructed()) {
if (notBefore != null) {
throw new CertificateParsingException(
"Duplicate notBefore in PrivateKeyUsage.");
}
opt.resetTag(DerValue.tag_GeneralizedTime);
str = new DerInputStream(opt.toByteArray());
notBefore = str.getGeneralizedTime();
} else if (opt.isContextSpecific(TAG_AFTER) &&
!opt.isConstructed()) {
if (notAfter != null) {
throw new CertificateParsingException(
"Duplicate notAfter in PrivateKeyUsage.");
}
opt.resetTag(DerValue.tag_GeneralizedTime);
str = new DerInputStream(opt.toByteArray());
notAfter = str.getGeneralizedTime();
} else
throw new IOException("Invalid encoding of " +
"PrivateKeyUsageExtension");
}
}
/**
* Return the printable string.
*/
public String toString() {
return (super.toString() +
"PrivateKeyUsage: [From: " +
((notBefore == null) ? "" : notBefore.toString()) +
", To: " +
((notAfter == null) ? "" : notAfter.toString()) + "]\n");
}
/**
* Return notBefore date
*/
public Date getNotBefore() {
return (notBefore);
}
/**
* Return notAfter date
*/
public Date getNotAfter() {
return (notAfter);
}
/**
* Verify that that the current time is within the validity period.
*
* @exception CertificateExpiredException if the certificate has expired.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid.
*/
public void valid()
throws CertificateNotYetValidException, CertificateExpiredException {
Date now = new Date();
valid(now);
}
/**
* Verify that that the passed time is within the validity period.
*
* @exception CertificateExpiredException if the certificate has expired
* with respect to the Date supplied.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid with respect to the Date supplied.
*
*/
public void valid(Date now)
throws CertificateNotYetValidException, CertificateExpiredException {
/*
* we use the internal Dates rather than the passed in Date
* because someone could override the Date methods after()
* and before() to do something entirely different.
*/
if (notBefore.after(now)) {
throw new CertificateNotYetValidException("NotBefore: " +
notBefore.toString());
}
if (notAfter.before(now)) {
throw new CertificateExpiredException("NotAfter: " +
notAfter.toString());
}
}
/**
* Write the extension to the OutputStream.
*
* @param out the OutputStream to write the extension to.
* @exception IOException on encoding errors.
*/
public void encode(OutputStream out) throws IOException {
DerOutputStream tmp = new DerOutputStream();
if (extensionValue == null) {
extensionId = PKIXExtensions.PrivateKeyUsage_Id;
critical = false;
encodeThis();
}
super.encode(tmp);
out.write(tmp.toByteArray());
}
/**
* Decode the extension from the InputStream.
*
* @param in the InputStream to unmarshal the contents from.
* @exception CertificateException on decoding errors.
*/
public void decode(InputStream in) throws CertificateException {
throw new CertificateException("Method not to be called directly.");
}
/**
* Set the attribute value.
*
* @exception CertificateException on attribute handling errors.
*/
public void set(String name, Object obj)
throws CertificateException {
clearValue();
if (!(obj instanceof Date)) {
throw new CertificateException("Attribute must be of type Date.");
}
if (name.equalsIgnoreCase(NOT_BEFORE)) {
notBefore = (Date) obj;
} else if (name.equalsIgnoreCase(NOT_AFTER)) {
notAfter = (Date) obj;
} else {
throw new CertificateException("Attribute name not recognized by"
+ " CertAttrSet:PrivateKeyUsage.");
}
}
/**
* Get the attribute value.
*
* @exception CertificateException on attribute handling errors.
*/
public Object get(String name) throws CertificateException {
if (name.equalsIgnoreCase(NOT_BEFORE)) {
return (new Date(notBefore.getTime()));
} else if (name.equalsIgnoreCase(NOT_AFTER)) {
return (new Date(notAfter.getTime()));
} else {
throw new CertificateException("Attribute name not recognized by"
+ " CertAttrSet:PrivateKeyUsage.");
}
}
/**
* Delete the attribute value.
*
* @exception CertificateException on attribute handling errors.
*/
public void delete(String name) throws CertificateException {
if (name.equalsIgnoreCase(NOT_BEFORE)) {
notBefore = null;
} else if (name.equalsIgnoreCase(NOT_AFTER)) {
notAfter = null;
} else {
throw new CertificateException("Attribute name not recognized by"
+ " CertAttrSet:PrivateKeyUsage.");
}
}
/**
* Return an enumeration of names of attributes existing within this
* attribute.
*/
public Enumeration