Featured White Papers

• Why choose an Open Source BPM?
• 10 FAQs on Business Process Management
• Best Practices for Getting Started with BPM
• Free Your Devs From The Pain Of Java Redeploys
• Increase Velocity 40% by Using JRebel
• What Developers Want: The End of Application Redeploys
• Developer Productivity Report: Java Tools, Tech, Devs, and Data
• Coding with JRebel: Java Forever Changed
• Utilizing Fast Testing to Transform Java Development
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• APIs for Java Programmers: Manage & Convert DOC, XLS, PPT, PDF & More

• Instantly Preview Java Code Changes: JRebel.com

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Construct secure networked applications with certificates, Part 2

Learn to use X.509 certificates

By Todd Sundsted, JavaWorld.com, 02/16/01

Page 2 of 4

The java.security.cert.Certificate and java.security.cert.CRL abstract classes define the interface. They represent certificates and certificate revocation lists (CRLs), respectively. The CertificateFactory class is their factory.

The java.security.cert package contains concrete implementations of the Certificate and CRL abstract classes: the X509Certificate and X509CRL classes. These two classes implement basic certificate and CRL functionality, then extend it with X.509-specific functionality. When a CertificateFactory instance returns an instance of either class, a program can either use it as-is or explicitly cast it to the X.509 form.

In the java.security.cert package, interface X509Extension defines an interface to an X.509 certificate's extensions. Extensions are optional components that provide a mechanism for certificate creators to associate additional information with a certificate. For example, a certificate may use the KeyUsage extension to indicate that it can be used for code signing.

The java.security.cert package also includes a Service Provider Interface (SPI) class. A cryptographic service provider that wishes to support a certificate type extends the SPI. Java 2 comes with an SPI for X.509 certificates.

Let's take a more detailed look at the classes and interfaces in the java.security.cert package. For brevity's sake, I will discuss only the most useful methods. For more comprehensive coverage, I encourage you to read Sun's documentation. (See Resources.)

java.security.cert.CertificateFactory

The story begins with java.security.cert.CertificateFactory. The CertificateFactory class has static methods that create a CertificateFactory instance for a specific type of certificate, and methods that create both certificates and CRLs from data supplied in an input stream. I will briefly describe the most important methods, then explain how to use these methods when generating X.509 certificates and CRLs. Later in the article, I'll present code that demonstrates the methods in action.

• public static CertificateFactory getInstance(String stringType) and public static CertificateFactory getInstance(String stringType, String stringProvider) instantiate and return an instance of a certificate factory for the certificate type specified by the stringType parameter. For example, if the value of stringType is the string "X.509," both methods will return an instance of the CertificateFactory class suitable for creating instances of the classes X509Certificate and X509CRL. The second method accepts the name of a specific cryptographic service provider as an argument and uses that provider instead of the default.
• public final Certificate generateCertificate(InputStream inputstream) instantiates and returns a certificate using data read from the supplied InputStream instance. If the stream contains more than one certificate and the stream supports the mark() and reset() operations, the method will read one certificate and leave the stream positioned before the next.
• public final Collection generateCertificates(InputStream inputstream) instantiates and returns a certificate collection using data read from the supplied InputStream instance. If the given stream does not support mark() and reset(), the method will consume the entire stream.
• public final CRL generateCRL(InputStream inputstream) instantiates and returns a CRL using data read from the supplied InputStream instance. If the stream contains more than one CRL and supports the mark() and reset() operations, the method will read one CRL and leave the stream positioned before the next.
• public final Collection generateCRLs(InputStream inputstream) instantiates and returns a collection of CRLs using data read from the supplied InputStream instance. If the given stream does not support mark() and reset(), public final Collection generateCRLs(InputStream inputstream) will consume the entire stream.

It is important to understand how those four methods behave when generating X.509 instances from a stream of data. Let's take a look.