author | coffeys |
Fri, 21 Jun 2019 08:07:18 +0000 | |
changeset 55459 | 00f29fe98900 |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30033
diff
changeset
|
2 |
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package java.security.cert; |
|
27 |
||
28 |
import java.io.IOException; |
|
29 |
import java.math.BigInteger; |
|
30 |
import java.security.PublicKey; |
|
31 |
import java.util.*; |
|
32 |
import javax.security.auth.x500.X500Principal; |
|
33 |
||
34687
d302ed125dc9
8144995: Move sun.misc.HexDumpEncoder to sun.security.util
chegar
parents:
32649
diff
changeset
|
34 |
import sun.security.util.HexDumpEncoder; |
2 | 35 |
import sun.security.util.Debug; |
36 |
import sun.security.util.DerInputStream; |
|
37 |
import sun.security.util.DerValue; |
|
38 |
import sun.security.util.ObjectIdentifier; |
|
39 |
import sun.security.x509.*; |
|
40 |
||
41 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
42 |
* A {@code CertSelector} that selects {@code X509Certificates} that |
2 | 43 |
* match all specified criteria. This class is particularly useful when |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
44 |
* selecting certificates from a {@code CertStore} to build a |
2 | 45 |
* PKIX-compliant certification path. |
46 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
47 |
* When first constructed, an {@code X509CertSelector} has no criteria |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
48 |
* enabled and each of the {@code get} methods return a default value |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
49 |
* ({@code null}, or {@code -1} for the {@link #getBasicConstraints |
2 | 50 |
* getBasicConstraints} method). Therefore, the {@link #match match} |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
51 |
* method would return {@code true} for any {@code X509Certificate}. |
2 | 52 |
* Typically, several criteria are enabled (by calling |
53 |
* {@link #setIssuer setIssuer} or |
|
54 |
* {@link #setKeyUsage setKeyUsage}, for instance) and then the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
55 |
* {@code X509CertSelector} is passed to |
2 | 56 |
* {@link CertStore#getCertificates CertStore.getCertificates} or some similar |
57 |
* method. |
|
58 |
* <p> |
|
59 |
* Several criteria can be enabled (by calling {@link #setIssuer setIssuer} |
|
60 |
* and {@link #setSerialNumber setSerialNumber}, |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
61 |
* for example) such that the {@code match} method |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
62 |
* usually uniquely matches a single {@code X509Certificate}. We say |
2 | 63 |
* usually, since it is possible for two issuing CAs to have the same |
64 |
* distinguished name and each issue a certificate with the same serial |
|
65 |
* number. Other unique combinations include the issuer, subject, |
|
66 |
* subjectKeyIdentifier and/or the subjectPublicKey criteria. |
|
67 |
* <p> |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
68 |
* Please refer to <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: |
2 | 69 |
* Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for |
70 |
* definitions of the X.509 certificate extensions mentioned below. |
|
71 |
* <p> |
|
72 |
* <b>Concurrent Access</b> |
|
73 |
* <p> |
|
74 |
* Unless otherwise specified, the methods defined in this class are not |
|
75 |
* thread-safe. Multiple threads that need to access a single |
|
76 |
* object concurrently should synchronize amongst themselves and |
|
77 |
* provide the necessary locking. Multiple threads each manipulating |
|
78 |
* separate objects need not synchronize. |
|
79 |
* |
|
80 |
* @see CertSelector |
|
81 |
* @see X509Certificate |
|
82 |
* |
|
83 |
* @since 1.4 |
|
84 |
* @author Steve Hanna |
|
85 |
*/ |
|
86 |
public class X509CertSelector implements CertSelector { |
|
87 |
||
88 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
89 |
||
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
31426
diff
changeset
|
90 |
private static final ObjectIdentifier ANY_EXTENDED_KEY_USAGE = |
2 | 91 |
ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0}); |
92 |
||
93 |
static { |
|
94 |
CertPathHelperImpl.initialize(); |
|
95 |
} |
|
96 |
||
97 |
private BigInteger serialNumber; |
|
98 |
private X500Principal issuer; |
|
99 |
private X500Principal subject; |
|
100 |
private byte[] subjectKeyID; |
|
101 |
private byte[] authorityKeyID; |
|
102 |
private Date certificateValid; |
|
103 |
private Date privateKeyValid; |
|
104 |
private ObjectIdentifier subjectPublicKeyAlgID; |
|
105 |
private PublicKey subjectPublicKey; |
|
106 |
private byte[] subjectPublicKeyBytes; |
|
107 |
private boolean[] keyUsage; |
|
108 |
private Set<String> keyPurposeSet; |
|
109 |
private Set<ObjectIdentifier> keyPurposeOIDSet; |
|
110 |
private Set<List<?>> subjectAlternativeNames; |
|
111 |
private Set<GeneralNameInterface> subjectAlternativeGeneralNames; |
|
112 |
private CertificatePolicySet policy; |
|
113 |
private Set<String> policySet; |
|
114 |
private Set<List<?>> pathToNames; |
|
115 |
private Set<GeneralNameInterface> pathToGeneralNames; |
|
116 |
private NameConstraintsExtension nc; |
|
117 |
private byte[] ncBytes; |
|
118 |
private int basicConstraints = -1; |
|
119 |
private X509Certificate x509Cert; |
|
120 |
private boolean matchAllSubjectAltNames = true; |
|
121 |
||
122 |
private static final Boolean FALSE = Boolean.FALSE; |
|
123 |
||
124 |
private static final int PRIVATE_KEY_USAGE_ID = 0; |
|
125 |
private static final int SUBJECT_ALT_NAME_ID = 1; |
|
126 |
private static final int NAME_CONSTRAINTS_ID = 2; |
|
127 |
private static final int CERT_POLICIES_ID = 3; |
|
128 |
private static final int EXTENDED_KEY_USAGE_ID = 4; |
|
129 |
private static final int NUM_OF_EXTENSIONS = 5; |
|
130 |
private static final String[] EXTENSION_OIDS = new String[NUM_OF_EXTENSIONS]; |
|
131 |
||
132 |
static { |
|
133 |
EXTENSION_OIDS[PRIVATE_KEY_USAGE_ID] = "2.5.29.16"; |
|
134 |
EXTENSION_OIDS[SUBJECT_ALT_NAME_ID] = "2.5.29.17"; |
|
135 |
EXTENSION_OIDS[NAME_CONSTRAINTS_ID] = "2.5.29.30"; |
|
136 |
EXTENSION_OIDS[CERT_POLICIES_ID] = "2.5.29.32"; |
|
137 |
EXTENSION_OIDS[EXTENDED_KEY_USAGE_ID] = "2.5.29.37"; |
|
138 |
}; |
|
139 |
||
140 |
/* Constants representing the GeneralName types */ |
|
141 |
static final int NAME_ANY = 0; |
|
142 |
static final int NAME_RFC822 = 1; |
|
143 |
static final int NAME_DNS = 2; |
|
144 |
static final int NAME_X400 = 3; |
|
145 |
static final int NAME_DIRECTORY = 4; |
|
146 |
static final int NAME_EDI = 5; |
|
147 |
static final int NAME_URI = 6; |
|
148 |
static final int NAME_IP = 7; |
|
149 |
static final int NAME_OID = 8; |
|
150 |
||
151 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
152 |
* Creates an {@code X509CertSelector}. Initially, no criteria are set |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
153 |
* so any {@code X509Certificate} will match. |
2 | 154 |
*/ |
155 |
public X509CertSelector() { |
|
156 |
// empty |
|
157 |
} |
|
158 |
||
159 |
/** |
|
160 |
* Sets the certificateEquals criterion. The specified |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
161 |
* {@code X509Certificate} must be equal to the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
162 |
* {@code X509Certificate} passed to the {@code match} method. |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
163 |
* If {@code null}, then this check is not applied. |
2 | 164 |
* |
165 |
* <p>This method is particularly useful when it is necessary to |
|
166 |
* match a single certificate. Although other criteria can be specified |
|
167 |
* in conjunction with the certificateEquals criterion, it is usually not |
|
168 |
* practical or necessary. |
|
169 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
170 |
* @param cert the {@code X509Certificate} to match (or |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
171 |
* {@code null}) |
2 | 172 |
* @see #getCertificate |
173 |
*/ |
|
174 |
public void setCertificate(X509Certificate cert) { |
|
175 |
x509Cert = cert; |
|
176 |
} |
|
177 |
||
178 |
/** |
|
179 |
* Sets the serialNumber criterion. The specified serial number |
|
180 |
* must match the certificate serial number in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
181 |
* {@code X509Certificate}. If {@code null}, any certificate |
2 | 182 |
* serial number will do. |
183 |
* |
|
184 |
* @param serial the certificate serial number to match |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
185 |
* (or {@code null}) |
2 | 186 |
* @see #getSerialNumber |
187 |
*/ |
|
188 |
public void setSerialNumber(BigInteger serial) { |
|
189 |
serialNumber = serial; |
|
190 |
} |
|
191 |
||
192 |
/** |
|
193 |
* Sets the issuer criterion. The specified distinguished name |
|
194 |
* must match the issuer distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
195 |
* {@code X509Certificate}. If {@code null}, any issuer |
2 | 196 |
* distinguished name will do. |
197 |
* |
|
198 |
* @param issuer a distinguished name as X500Principal |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
199 |
* (or {@code null}) |
2 | 200 |
* @since 1.5 |
201 |
*/ |
|
202 |
public void setIssuer(X500Principal issuer) { |
|
203 |
this.issuer = issuer; |
|
204 |
} |
|
205 |
||
206 |
/** |
|
207 |
* <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)} |
|
208 |
* or {@linkplain #setIssuer(byte[])} instead. This method should not be |
|
209 |
* relied on as it can fail to match some certificates because of a loss of |
|
210 |
* encoding information in the |
|
211 |
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form |
|
212 |
* of some distinguished names. |
|
213 |
* <p> |
|
214 |
* Sets the issuer criterion. The specified distinguished name |
|
215 |
* must match the issuer distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
216 |
* {@code X509Certificate}. If {@code null}, any issuer |
2 | 217 |
* distinguished name will do. |
218 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
219 |
* If {@code issuerDN} is not {@code null}, it should contain a |
2 | 220 |
* distinguished name, in RFC 2253 format. |
221 |
* |
|
222 |
* @param issuerDN a distinguished name in RFC 2253 format |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
223 |
* (or {@code null}) |
2 | 224 |
* @throws IOException if a parsing error occurs (incorrect form for DN) |
225 |
*/ |
|
226 |
public void setIssuer(String issuerDN) throws IOException { |
|
227 |
if (issuerDN == null) { |
|
228 |
issuer = null; |
|
229 |
} else { |
|
230 |
issuer = new X500Name(issuerDN).asX500Principal(); |
|
231 |
} |
|
232 |
} |
|
233 |
||
234 |
/** |
|
235 |
* Sets the issuer criterion. The specified distinguished name |
|
236 |
* must match the issuer distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
237 |
* {@code X509Certificate}. If {@code null} is specified, |
2 | 238 |
* the issuer criterion is disabled and any issuer distinguished name will |
239 |
* do. |
|
240 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
241 |
* If {@code issuerDN} is not {@code null}, it should contain a |
2 | 242 |
* single DER encoded distinguished name, as defined in X.501. The ASN.1 |
243 |
* notation for this structure is as follows. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
244 |
* <pre>{@code |
2 | 245 |
* Name ::= CHOICE { |
246 |
* RDNSequence } |
|
247 |
* |
|
248 |
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName |
|
249 |
* |
|
250 |
* RelativeDistinguishedName ::= |
|
251 |
* SET SIZE (1 .. MAX) OF AttributeTypeAndValue |
|
252 |
* |
|
253 |
* AttributeTypeAndValue ::= SEQUENCE { |
|
254 |
* type AttributeType, |
|
255 |
* value AttributeValue } |
|
256 |
* |
|
257 |
* AttributeType ::= OBJECT IDENTIFIER |
|
258 |
* |
|
259 |
* AttributeValue ::= ANY DEFINED BY AttributeType |
|
260 |
* .... |
|
261 |
* DirectoryString ::= CHOICE { |
|
262 |
* teletexString TeletexString (SIZE (1..MAX)), |
|
263 |
* printableString PrintableString (SIZE (1..MAX)), |
|
264 |
* universalString UniversalString (SIZE (1..MAX)), |
|
265 |
* utf8String UTF8String (SIZE (1.. MAX)), |
|
266 |
* bmpString BMPString (SIZE (1..MAX)) } |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
267 |
* }</pre> |
2 | 268 |
* <p> |
269 |
* Note that the byte array specified here is cloned to protect against |
|
270 |
* subsequent modifications. |
|
271 |
* |
|
272 |
* @param issuerDN a byte array containing the distinguished name |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
273 |
* in ASN.1 DER encoded form (or {@code null}) |
2 | 274 |
* @throws IOException if an encoding error occurs (incorrect form for DN) |
275 |
*/ |
|
276 |
public void setIssuer(byte[] issuerDN) throws IOException { |
|
277 |
try { |
|
278 |
issuer = (issuerDN == null ? null : new X500Principal(issuerDN)); |
|
279 |
} catch (IllegalArgumentException e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
280 |
throw new IOException("Invalid name", e); |
2 | 281 |
} |
282 |
} |
|
283 |
||
284 |
/** |
|
285 |
* Sets the subject criterion. The specified distinguished name |
|
286 |
* must match the subject distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
287 |
* {@code X509Certificate}. If {@code null}, any subject |
2 | 288 |
* distinguished name will do. |
289 |
* |
|
290 |
* @param subject a distinguished name as X500Principal |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
291 |
* (or {@code null}) |
2 | 292 |
* @since 1.5 |
293 |
*/ |
|
294 |
public void setSubject(X500Principal subject) { |
|
295 |
this.subject = subject; |
|
296 |
} |
|
297 |
||
298 |
/** |
|
299 |
* <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)} |
|
300 |
* or {@linkplain #setSubject(byte[])} instead. This method should not be |
|
301 |
* relied on as it can fail to match some certificates because of a loss of |
|
302 |
* encoding information in the RFC 2253 String form of some distinguished |
|
303 |
* names. |
|
304 |
* <p> |
|
305 |
* Sets the subject criterion. The specified distinguished name |
|
306 |
* must match the subject distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
307 |
* {@code X509Certificate}. If {@code null}, any subject |
2 | 308 |
* distinguished name will do. |
309 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
310 |
* If {@code subjectDN} is not {@code null}, it should contain a |
2 | 311 |
* distinguished name, in RFC 2253 format. |
312 |
* |
|
313 |
* @param subjectDN a distinguished name in RFC 2253 format |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
314 |
* (or {@code null}) |
2 | 315 |
* @throws IOException if a parsing error occurs (incorrect form for DN) |
316 |
*/ |
|
317 |
public void setSubject(String subjectDN) throws IOException { |
|
318 |
if (subjectDN == null) { |
|
319 |
subject = null; |
|
320 |
} else { |
|
321 |
subject = new X500Name(subjectDN).asX500Principal(); |
|
322 |
} |
|
323 |
} |
|
324 |
||
325 |
/** |
|
326 |
* Sets the subject criterion. The specified distinguished name |
|
327 |
* must match the subject distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
328 |
* {@code X509Certificate}. If {@code null}, any subject |
2 | 329 |
* distinguished name will do. |
330 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
331 |
* If {@code subjectDN} is not {@code null}, it should contain a |
2 | 332 |
* single DER encoded distinguished name, as defined in X.501. For the ASN.1 |
333 |
* notation for this structure, see |
|
334 |
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}. |
|
335 |
* |
|
336 |
* @param subjectDN a byte array containing the distinguished name in |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
337 |
* ASN.1 DER format (or {@code null}) |
2 | 338 |
* @throws IOException if an encoding error occurs (incorrect form for DN) |
339 |
*/ |
|
340 |
public void setSubject(byte[] subjectDN) throws IOException { |
|
341 |
try { |
|
342 |
subject = (subjectDN == null ? null : new X500Principal(subjectDN)); |
|
343 |
} catch (IllegalArgumentException e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
344 |
throw new IOException("Invalid name", e); |
2 | 345 |
} |
346 |
} |
|
347 |
||
348 |
/** |
|
349 |
* Sets the subjectKeyIdentifier criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
350 |
* {@code X509Certificate} must contain a SubjectKeyIdentifier |
2 | 351 |
* extension for which the contents of the extension |
352 |
* matches the specified criterion value. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
353 |
* If the criterion value is {@code null}, no |
2 | 354 |
* subjectKeyIdentifier check will be done. |
355 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
356 |
* If {@code subjectKeyID} is not {@code null}, it |
2 | 357 |
* should contain a single DER encoded value corresponding to the contents |
358 |
* of the extension value (not including the object identifier, |
|
359 |
* criticality setting, and encapsulating OCTET STRING) |
|
360 |
* for a SubjectKeyIdentifier extension. |
|
361 |
* The ASN.1 notation for this structure follows. |
|
21334 | 362 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
363 |
* <pre>{@code |
2 | 364 |
* SubjectKeyIdentifier ::= KeyIdentifier |
365 |
* |
|
366 |
* KeyIdentifier ::= OCTET STRING |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
367 |
* }</pre> |
2 | 368 |
* <p> |
369 |
* Since the format of subject key identifiers is not mandated by |
|
370 |
* any standard, subject key identifiers are not parsed by the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
371 |
* {@code X509CertSelector}. Instead, the values are compared using |
2 | 372 |
* a byte-by-byte comparison. |
373 |
* <p> |
|
374 |
* Note that the byte array supplied here is cloned to protect against |
|
375 |
* subsequent modifications. |
|
376 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
377 |
* @param subjectKeyID the subject key identifier (or {@code null}) |
2 | 378 |
* @see #getSubjectKeyIdentifier |
379 |
*/ |
|
380 |
public void setSubjectKeyIdentifier(byte[] subjectKeyID) { |
|
381 |
if (subjectKeyID == null) { |
|
382 |
this.subjectKeyID = null; |
|
383 |
} else { |
|
51 | 384 |
this.subjectKeyID = subjectKeyID.clone(); |
2 | 385 |
} |
386 |
} |
|
387 |
||
388 |
/** |
|
389 |
* Sets the authorityKeyIdentifier criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
390 |
* {@code X509Certificate} must contain an |
2 | 391 |
* AuthorityKeyIdentifier extension for which the contents of the |
392 |
* extension value matches the specified criterion value. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
393 |
* If the criterion value is {@code null}, no |
2 | 394 |
* authorityKeyIdentifier check will be done. |
395 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
396 |
* If {@code authorityKeyID} is not {@code null}, it |
2 | 397 |
* should contain a single DER encoded value corresponding to the contents |
398 |
* of the extension value (not including the object identifier, |
|
399 |
* criticality setting, and encapsulating OCTET STRING) |
|
400 |
* for an AuthorityKeyIdentifier extension. |
|
401 |
* The ASN.1 notation for this structure follows. |
|
21334 | 402 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
403 |
* <pre>{@code |
2 | 404 |
* AuthorityKeyIdentifier ::= SEQUENCE { |
405 |
* keyIdentifier [0] KeyIdentifier OPTIONAL, |
|
406 |
* authorityCertIssuer [1] GeneralNames OPTIONAL, |
|
407 |
* authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } |
|
408 |
* |
|
409 |
* KeyIdentifier ::= OCTET STRING |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
410 |
* }</pre> |
2 | 411 |
* <p> |
412 |
* Authority key identifiers are not parsed by the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
413 |
* {@code X509CertSelector}. Instead, the values are |
2 | 414 |
* compared using a byte-by-byte comparison. |
415 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
416 |
* When the {@code keyIdentifier} field of |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
417 |
* {@code AuthorityKeyIdentifier} is populated, the value is |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
418 |
* usually taken from the {@code SubjectKeyIdentifier} extension |
2 | 419 |
* in the issuer's certificate. Note, however, that the result of |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
420 |
* {@code X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
421 |
* Identifier>)} on the issuer's certificate may NOT be used |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
422 |
* directly as the input to {@code setAuthorityKeyIdentifier}. |
2 | 423 |
* This is because the SubjectKeyIdentifier contains |
424 |
* only a KeyIdentifier OCTET STRING, and not a SEQUENCE of |
|
425 |
* KeyIdentifier, GeneralNames, and CertificateSerialNumber. |
|
426 |
* In order to use the extension value of the issuer certificate's |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
427 |
* {@code SubjectKeyIdentifier} |
2 | 428 |
* extension, it will be necessary to extract the value of the embedded |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
429 |
* {@code KeyIdentifier} OCTET STRING, then DER encode this OCTET |
2 | 430 |
* STRING inside a SEQUENCE. |
431 |
* For more details on SubjectKeyIdentifier, see |
|
432 |
* {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}. |
|
433 |
* <p> |
|
434 |
* Note also that the byte array supplied here is cloned to protect against |
|
435 |
* subsequent modifications. |
|
436 |
* |
|
437 |
* @param authorityKeyID the authority key identifier |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
438 |
* (or {@code null}) |
2 | 439 |
* @see #getAuthorityKeyIdentifier |
440 |
*/ |
|
441 |
public void setAuthorityKeyIdentifier(byte[] authorityKeyID) { |
|
442 |
if (authorityKeyID == null) { |
|
443 |
this.authorityKeyID = null; |
|
444 |
} else { |
|
51 | 445 |
this.authorityKeyID = authorityKeyID.clone(); |
2 | 446 |
} |
447 |
} |
|
448 |
||
449 |
/** |
|
450 |
* Sets the certificateValid criterion. The specified date must fall |
|
451 |
* within the certificate validity period for the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
452 |
* {@code X509Certificate}. If {@code null}, no certificateValid |
2 | 453 |
* check will be done. |
454 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
455 |
* Note that the {@code Date} supplied here is cloned to protect |
2 | 456 |
* against subsequent modifications. |
457 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
458 |
* @param certValid the {@code Date} to check (or {@code null}) |
2 | 459 |
* @see #getCertificateValid |
460 |
*/ |
|
461 |
public void setCertificateValid(Date certValid) { |
|
462 |
if (certValid == null) { |
|
463 |
certificateValid = null; |
|
464 |
} else { |
|
465 |
certificateValid = (Date)certValid.clone(); |
|
466 |
} |
|
467 |
} |
|
468 |
||
469 |
/** |
|
470 |
* Sets the privateKeyValid criterion. The specified date must fall |
|
471 |
* within the private key validity period for the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
472 |
* {@code X509Certificate}. If {@code null}, no privateKeyValid |
2 | 473 |
* check will be done. |
474 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
475 |
* Note that the {@code Date} supplied here is cloned to protect |
2 | 476 |
* against subsequent modifications. |
477 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
478 |
* @param privateKeyValid the {@code Date} to check (or |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
479 |
* {@code null}) |
2 | 480 |
* @see #getPrivateKeyValid |
481 |
*/ |
|
482 |
public void setPrivateKeyValid(Date privateKeyValid) { |
|
483 |
if (privateKeyValid == null) { |
|
484 |
this.privateKeyValid = null; |
|
485 |
} else { |
|
486 |
this.privateKeyValid = (Date)privateKeyValid.clone(); |
|
487 |
} |
|
488 |
} |
|
489 |
||
490 |
/** |
|
491 |
* Sets the subjectPublicKeyAlgID criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
492 |
* {@code X509Certificate} must contain a subject public key |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
493 |
* with the specified algorithm. If {@code null}, no |
2 | 494 |
* subjectPublicKeyAlgID check will be done. |
495 |
* |
|
496 |
* @param oid The object identifier (OID) of the algorithm to check |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
497 |
* for (or {@code null}). An OID is represented by a |
2 | 498 |
* set of nonnegative integers separated by periods. |
499 |
* @throws IOException if the OID is invalid, such as |
|
500 |
* the first component being not 0, 1 or 2 or the second component |
|
501 |
* being greater than 39. |
|
502 |
* |
|
503 |
* @see #getSubjectPublicKeyAlgID |
|
504 |
*/ |
|
505 |
public void setSubjectPublicKeyAlgID(String oid) throws IOException { |
|
506 |
if (oid == null) { |
|
507 |
subjectPublicKeyAlgID = null; |
|
508 |
} else { |
|
509 |
subjectPublicKeyAlgID = new ObjectIdentifier(oid); |
|
510 |
} |
|
511 |
} |
|
512 |
||
513 |
/** |
|
514 |
* Sets the subjectPublicKey criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
515 |
* {@code X509Certificate} must contain the specified subject public |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
516 |
* key. If {@code null}, no subjectPublicKey check will be done. |
2 | 517 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
518 |
* @param key the subject public key to check for (or {@code null}) |
2 | 519 |
* @see #getSubjectPublicKey |
520 |
*/ |
|
521 |
public void setSubjectPublicKey(PublicKey key) { |
|
522 |
if (key == null) { |
|
523 |
subjectPublicKey = null; |
|
524 |
subjectPublicKeyBytes = null; |
|
525 |
} else { |
|
526 |
subjectPublicKey = key; |
|
527 |
subjectPublicKeyBytes = key.getEncoded(); |
|
528 |
} |
|
529 |
} |
|
530 |
||
531 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
532 |
* Sets the subjectPublicKey criterion. The {@code X509Certificate} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
533 |
* must contain the specified subject public key. If {@code null}, |
2 | 534 |
* no subjectPublicKey check will be done. |
535 |
* <p> |
|
536 |
* Because this method allows the public key to be specified as a byte |
|
537 |
* array, it may be used for unknown key types. |
|
538 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
539 |
* If {@code key} is not {@code null}, it should contain a |
2 | 540 |
* single DER encoded SubjectPublicKeyInfo structure, as defined in X.509. |
541 |
* The ASN.1 notation for this structure is as follows. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
542 |
* <pre>{@code |
2 | 543 |
* SubjectPublicKeyInfo ::= SEQUENCE { |
544 |
* algorithm AlgorithmIdentifier, |
|
545 |
* subjectPublicKey BIT STRING } |
|
546 |
* |
|
547 |
* AlgorithmIdentifier ::= SEQUENCE { |
|
548 |
* algorithm OBJECT IDENTIFIER, |
|
549 |
* parameters ANY DEFINED BY algorithm OPTIONAL } |
|
550 |
* -- contains a value of the type |
|
551 |
* -- registered for use with the |
|
552 |
* -- algorithm object identifier value |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
553 |
* }</pre> |
2 | 554 |
* <p> |
555 |
* Note that the byte array supplied here is cloned to protect against |
|
556 |
* subsequent modifications. |
|
557 |
* |
|
558 |
* @param key a byte array containing the subject public key in ASN.1 DER |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
559 |
* form (or {@code null}) |
2 | 560 |
* @throws IOException if an encoding error occurs (incorrect form for |
561 |
* subject public key) |
|
562 |
* @see #getSubjectPublicKey |
|
563 |
*/ |
|
564 |
public void setSubjectPublicKey(byte[] key) throws IOException { |
|
565 |
if (key == null) { |
|
566 |
subjectPublicKey = null; |
|
567 |
subjectPublicKeyBytes = null; |
|
568 |
} else { |
|
51 | 569 |
subjectPublicKeyBytes = key.clone(); |
2 | 570 |
subjectPublicKey = X509Key.parse(new DerValue(subjectPublicKeyBytes)); |
571 |
} |
|
572 |
} |
|
573 |
||
574 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
575 |
* Sets the keyUsage criterion. The {@code X509Certificate} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
576 |
* must allow the specified keyUsage values. If {@code null}, no |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
577 |
* keyUsage check will be done. Note that an {@code X509Certificate} |
2 | 578 |
* that has no keyUsage extension implicitly allows all keyUsage values. |
579 |
* <p> |
|
580 |
* Note that the boolean array supplied here is cloned to protect against |
|
581 |
* subsequent modifications. |
|
582 |
* |
|
583 |
* @param keyUsage a boolean array in the same format as the boolean |
|
584 |
* array returned by |
|
585 |
* {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
586 |
* Or {@code null}. |
2 | 587 |
* @see #getKeyUsage |
588 |
*/ |
|
589 |
public void setKeyUsage(boolean[] keyUsage) { |
|
590 |
if (keyUsage == null) { |
|
591 |
this.keyUsage = null; |
|
592 |
} else { |
|
51 | 593 |
this.keyUsage = keyUsage.clone(); |
2 | 594 |
} |
595 |
} |
|
596 |
||
597 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
598 |
* Sets the extendedKeyUsage criterion. The {@code X509Certificate} |
2 | 599 |
* must allow the specified key purposes in its extended key usage |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
600 |
* extension. If {@code keyPurposeSet} is empty or {@code null}, |
2 | 601 |
* no extendedKeyUsage check will be done. Note that an |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
602 |
* {@code X509Certificate} that has no extendedKeyUsage extension |
2 | 603 |
* implicitly allows all key purposes. |
604 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
605 |
* Note that the {@code Set} is cloned to protect against |
2 | 606 |
* subsequent modifications. |
607 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
608 |
* @param keyPurposeSet a {@code Set} of key purpose OIDs in string |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
609 |
* format (or {@code null}). Each OID is represented by a set of |
2 | 610 |
* nonnegative integers separated by periods. |
611 |
* @throws IOException if the OID is invalid, such as |
|
612 |
* the first component being not 0, 1 or 2 or the second component |
|
613 |
* being greater than 39. |
|
614 |
* @see #getExtendedKeyUsage |
|
615 |
*/ |
|
616 |
public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException { |
|
617 |
if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) { |
|
618 |
this.keyPurposeSet = null; |
|
619 |
keyPurposeOIDSet = null; |
|
620 |
} else { |
|
621 |
this.keyPurposeSet = |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
622 |
Collections.unmodifiableSet(new HashSet<>(keyPurposeSet)); |
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
623 |
keyPurposeOIDSet = new HashSet<>(); |
2 | 624 |
for (String s : this.keyPurposeSet) { |
625 |
keyPurposeOIDSet.add(new ObjectIdentifier(s)); |
|
626 |
} |
|
627 |
} |
|
628 |
} |
|
629 |
||
630 |
/** |
|
631 |
* Enables/disables matching all of the subjectAlternativeNames |
|
632 |
* specified in the {@link #setSubjectAlternativeNames |
|
633 |
* setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
|
634 |
* addSubjectAlternativeName} methods. If enabled, |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
635 |
* the {@code X509Certificate} must contain all of the |
2 | 636 |
* specified subject alternative names. If disabled, the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
637 |
* {@code X509Certificate} must contain at least one of the |
2 | 638 |
* specified subject alternative names. |
639 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
640 |
* <p>The matchAllNames flag is {@code true} by default. |
2 | 641 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
642 |
* @param matchAllNames if {@code true}, the flag is enabled; |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
643 |
* if {@code false}, the flag is disabled. |
2 | 644 |
* @see #getMatchAllSubjectAltNames |
645 |
*/ |
|
646 |
public void setMatchAllSubjectAltNames(boolean matchAllNames) { |
|
647 |
this.matchAllSubjectAltNames = matchAllNames; |
|
648 |
} |
|
649 |
||
650 |
/** |
|
651 |
* Sets the subjectAlternativeNames criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
652 |
* {@code X509Certificate} must contain all or at least one of the |
2 | 653 |
* specified subjectAlternativeNames, depending on the value of |
654 |
* the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
|
655 |
* setMatchAllSubjectAltNames}). |
|
656 |
* <p> |
|
657 |
* This method allows the caller to specify, with a single method call, |
|
658 |
* the complete set of subject alternative names for the |
|
659 |
* subjectAlternativeNames criterion. The specified value replaces |
|
660 |
* the previous value for the subjectAlternativeNames criterion. |
|
661 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
662 |
* The {@code names} parameter (if not {@code null}) is a |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
663 |
* {@code Collection} with one |
2 | 664 |
* entry for each name to be included in the subject alternative name |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
665 |
* criterion. Each entry is a {@code List} whose first entry is an |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
666 |
* {@code Integer} (the name type, 0-8) and whose second |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
667 |
* entry is a {@code String} or a byte array (the name, in |
2 | 668 |
* string or ASN.1 DER encoded form, respectively). |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
669 |
* There can be multiple names of the same type. If {@code null} |
2 | 670 |
* is supplied as the value for this argument, no |
671 |
* subjectAlternativeNames check will be performed. |
|
672 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
673 |
* Each subject alternative name in the {@code Collection} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
674 |
* may be specified either as a {@code String} or as an ASN.1 encoded |
2 | 675 |
* byte array. For more details about the formats used, see |
676 |
* {@link #addSubjectAlternativeName(int type, String name) |
|
677 |
* addSubjectAlternativeName(int type, String name)} and |
|
678 |
* {@link #addSubjectAlternativeName(int type, byte [] name) |
|
679 |
* addSubjectAlternativeName(int type, byte [] name)}. |
|
680 |
* <p> |
|
681 |
* <strong>Note:</strong> for distinguished names, specify the byte |
|
682 |
* array form instead of the String form. See the note in |
|
683 |
* {@link #addSubjectAlternativeName(int, String)} for more information. |
|
684 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
685 |
* Note that the {@code names} parameter can contain duplicate |
2 | 686 |
* names (same name and name type), but they may be removed from the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
687 |
* {@code Collection} of names returned by the |
2 | 688 |
* {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method. |
689 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
690 |
* Note that a deep copy is performed on the {@code Collection} to |
2 | 691 |
* protect against subsequent modifications. |
692 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
693 |
* @param names a {@code Collection} of names (or {@code null}) |
2 | 694 |
* @throws IOException if a parsing error occurs |
695 |
* @see #getSubjectAlternativeNames |
|
696 |
*/ |
|
697 |
public void setSubjectAlternativeNames(Collection<List<?>> names) |
|
698 |
throws IOException { |
|
699 |
if (names == null) { |
|
700 |
subjectAlternativeNames = null; |
|
701 |
subjectAlternativeGeneralNames = null; |
|
702 |
} else { |
|
703 |
if (names.isEmpty()) { |
|
704 |
subjectAlternativeNames = null; |
|
705 |
subjectAlternativeGeneralNames = null; |
|
706 |
return; |
|
707 |
} |
|
708 |
Set<List<?>> tempNames = cloneAndCheckNames(names); |
|
709 |
// Ensure that we either set both of these or neither |
|
710 |
subjectAlternativeGeneralNames = parseNames(tempNames); |
|
711 |
subjectAlternativeNames = tempNames; |
|
712 |
} |
|
713 |
} |
|
714 |
||
715 |
/** |
|
716 |
* Adds a name to the subjectAlternativeNames criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
717 |
* {@code X509Certificate} must contain all or at least one |
2 | 718 |
* of the specified subjectAlternativeNames, depending on the value of |
719 |
* the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
|
720 |
* setMatchAllSubjectAltNames}). |
|
721 |
* <p> |
|
722 |
* This method allows the caller to add a name to the set of subject |
|
723 |
* alternative names. |
|
724 |
* The specified name is added to any previous value for the |
|
725 |
* subjectAlternativeNames criterion. If the specified name is a |
|
726 |
* duplicate, it may be ignored. |
|
727 |
* <p> |
|
728 |
* The name is provided in string format. |
|
729 |
* <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI |
|
730 |
* names use the well-established string formats for those types (subject to |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
731 |
* the restrictions included in RFC 5280). IPv4 address names are |
2 | 732 |
* supplied using dotted quad notation. OID address names are represented |
733 |
* as a series of nonnegative integers separated by periods. And |
|
734 |
* directory names (distinguished names) are supplied in RFC 2253 format. |
|
735 |
* No standard string format is defined for otherNames, X.400 names, |
|
736 |
* EDI party names, IPv6 address names, or any other type of names. They |
|
737 |
* should be specified using the |
|
738 |
* {@link #addSubjectAlternativeName(int type, byte [] name) |
|
739 |
* addSubjectAlternativeName(int type, byte [] name)} |
|
740 |
* method. |
|
741 |
* <p> |
|
742 |
* <strong>Note:</strong> for distinguished names, use |
|
743 |
* {@linkplain #addSubjectAlternativeName(int, byte[])} instead. |
|
744 |
* This method should not be relied on as it can fail to match some |
|
745 |
* certificates because of a loss of encoding information in the RFC 2253 |
|
746 |
* String form of some distinguished names. |
|
747 |
* |
|
748 |
* @param type the name type (0-8, as specified in |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
749 |
* RFC 5280, section 4.2.1.6) |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
750 |
* @param name the name in string form (not {@code null}) |
2 | 751 |
* @throws IOException if a parsing error occurs |
752 |
*/ |
|
753 |
public void addSubjectAlternativeName(int type, String name) |
|
754 |
throws IOException { |
|
755 |
addSubjectAlternativeNameInternal(type, name); |
|
756 |
} |
|
757 |
||
758 |
/** |
|
759 |
* Adds a name to the subjectAlternativeNames criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
760 |
* {@code X509Certificate} must contain all or at least one |
2 | 761 |
* of the specified subjectAlternativeNames, depending on the value of |
762 |
* the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
|
763 |
* setMatchAllSubjectAltNames}). |
|
764 |
* <p> |
|
765 |
* This method allows the caller to add a name to the set of subject |
|
766 |
* alternative names. |
|
767 |
* The specified name is added to any previous value for the |
|
768 |
* subjectAlternativeNames criterion. If the specified name is a |
|
769 |
* duplicate, it may be ignored. |
|
770 |
* <p> |
|
771 |
* The name is provided as a byte array. This byte array should contain |
|
772 |
* the DER encoded name, as it would appear in the GeneralName structure |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
773 |
* defined in RFC 5280 and X.509. The encoded byte array should only contain |
2 | 774 |
* the encoded value of the name, and should not include the tag associated |
775 |
* with the name in the GeneralName structure. The ASN.1 definition of this |
|
776 |
* structure appears below. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
777 |
* <pre>{@code |
2 | 778 |
* GeneralName ::= CHOICE { |
779 |
* otherName [0] OtherName, |
|
780 |
* rfc822Name [1] IA5String, |
|
781 |
* dNSName [2] IA5String, |
|
782 |
* x400Address [3] ORAddress, |
|
783 |
* directoryName [4] Name, |
|
784 |
* ediPartyName [5] EDIPartyName, |
|
785 |
* uniformResourceIdentifier [6] IA5String, |
|
786 |
* iPAddress [7] OCTET STRING, |
|
787 |
* registeredID [8] OBJECT IDENTIFIER} |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
788 |
* }</pre> |
2 | 789 |
* <p> |
790 |
* Note that the byte array supplied here is cloned to protect against |
|
791 |
* subsequent modifications. |
|
792 |
* |
|
793 |
* @param type the name type (0-8, as listed above) |
|
794 |
* @param name a byte array containing the name in ASN.1 DER encoded form |
|
795 |
* @throws IOException if a parsing error occurs |
|
796 |
*/ |
|
797 |
public void addSubjectAlternativeName(int type, byte[] name) |
|
798 |
throws IOException { |
|
799 |
// clone because byte arrays are modifiable |
|
800 |
addSubjectAlternativeNameInternal(type, name.clone()); |
|
801 |
} |
|
802 |
||
803 |
/** |
|
804 |
* A private method that adds a name (String or byte array) to the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
805 |
* subjectAlternativeNames criterion. The {@code X509Certificate} |
2 | 806 |
* must contain the specified subjectAlternativeName. |
807 |
* |
|
808 |
* @param type the name type (0-8, as specified in |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
809 |
* RFC 5280, section 4.2.1.6) |
2 | 810 |
* @param name the name in string or byte array form |
811 |
* @throws IOException if a parsing error occurs |
|
812 |
*/ |
|
813 |
private void addSubjectAlternativeNameInternal(int type, Object name) |
|
814 |
throws IOException { |
|
815 |
// First, ensure that the name parses |
|
816 |
GeneralNameInterface tempName = makeGeneralNameInterface(type, name); |
|
817 |
if (subjectAlternativeNames == null) { |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
818 |
subjectAlternativeNames = new HashSet<>(); |
2 | 819 |
} |
820 |
if (subjectAlternativeGeneralNames == null) { |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
821 |
subjectAlternativeGeneralNames = new HashSet<>(); |
2 | 822 |
} |
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
823 |
List<Object> list = new ArrayList<>(2); |
2 | 824 |
list.add(Integer.valueOf(type)); |
825 |
list.add(name); |
|
826 |
subjectAlternativeNames.add(list); |
|
827 |
subjectAlternativeGeneralNames.add(tempName); |
|
828 |
} |
|
829 |
||
830 |
/** |
|
831 |
* Parse an argument of the form passed to setSubjectAlternativeNames, |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
832 |
* returning a {@code Collection} of |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
833 |
* {@code GeneralNameInterface}s. |
2 | 834 |
* Throw an IllegalArgumentException or a ClassCastException |
835 |
* if the argument is malformed. |
|
836 |
* |
|
837 |
* @param names a Collection with one entry per name. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
838 |
* Each entry is a {@code List} whose first entry |
2 | 839 |
* is an Integer (the name type, 0-8) and whose second |
840 |
* entry is a String or a byte array (the name, in |
|
841 |
* string or ASN.1 DER encoded form, respectively). |
|
842 |
* There can be multiple names of the same type. Null is |
|
843 |
* not an acceptable value. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
844 |
* @return a Set of {@code GeneralNameInterface}s |
2 | 845 |
* @throws IOException if a parsing error occurs |
846 |
*/ |
|
847 |
private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException { |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
848 |
Set<GeneralNameInterface> genNames = new HashSet<>(); |
2 | 849 |
for (List<?> nameList : names) { |
850 |
if (nameList.size() != 2) { |
|
851 |
throw new IOException("name list size not 2"); |
|
852 |
} |
|
853 |
Object o = nameList.get(0); |
|
854 |
if (!(o instanceof Integer)) { |
|
855 |
throw new IOException("expected an Integer"); |
|
856 |
} |
|
857 |
int nameType = ((Integer)o).intValue(); |
|
858 |
o = nameList.get(1); |
|
859 |
genNames.add(makeGeneralNameInterface(nameType, o)); |
|
860 |
} |
|
861 |
||
862 |
return genNames; |
|
863 |
} |
|
864 |
||
865 |
/** |
|
866 |
* Compare for equality two objects of the form passed to |
|
867 |
* setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames). |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
868 |
* Throw an {@code IllegalArgumentException} or a |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
869 |
* {@code ClassCastException} if one of the objects is malformed. |
2 | 870 |
* |
871 |
* @param object1 a Collection containing the first object to compare |
|
872 |
* @param object2 a Collection containing the second object to compare |
|
873 |
* @return true if the objects are equal, false otherwise |
|
874 |
*/ |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
875 |
static boolean equalNames(Collection<?> object1, Collection<?> object2) { |
2 | 876 |
if ((object1 == null) || (object2 == null)) { |
877 |
return object1 == object2; |
|
878 |
} |
|
879 |
return object1.equals(object2); |
|
880 |
} |
|
881 |
||
882 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
883 |
* Make a {@code GeneralNameInterface} out of a name type (0-8) and an |
2 | 884 |
* Object that may be a byte array holding the ASN.1 DER encoded |
885 |
* name or a String form of the name. Except for X.509 |
|
886 |
* Distinguished Names, the String form of the name must not be the |
|
887 |
* result from calling toString on an existing GeneralNameInterface |
|
888 |
* implementing class. The output of toString is not compatible |
|
889 |
* with the String constructors for names other than Distinguished |
|
890 |
* Names. |
|
891 |
* |
|
892 |
* @param type name type (0-8) |
|
893 |
* @param name name as ASN.1 Der-encoded byte array or String |
|
894 |
* @return a GeneralNameInterface name |
|
895 |
* @throws IOException if a parsing error occurs |
|
896 |
*/ |
|
897 |
static GeneralNameInterface makeGeneralNameInterface(int type, Object name) |
|
898 |
throws IOException { |
|
899 |
GeneralNameInterface result; |
|
900 |
if (debug != null) { |
|
901 |
debug.println("X509CertSelector.makeGeneralNameInterface(" |
|
902 |
+ type + ")..."); |
|
903 |
} |
|
904 |
||
905 |
if (name instanceof String) { |
|
906 |
if (debug != null) { |
|
907 |
debug.println("X509CertSelector.makeGeneralNameInterface() " |
|
908 |
+ "name is String: " + name); |
|
909 |
} |
|
910 |
switch (type) { |
|
911 |
case NAME_RFC822: |
|
912 |
result = new RFC822Name((String)name); |
|
913 |
break; |
|
914 |
case NAME_DNS: |
|
915 |
result = new DNSName((String)name); |
|
916 |
break; |
|
917 |
case NAME_DIRECTORY: |
|
918 |
result = new X500Name((String)name); |
|
919 |
break; |
|
920 |
case NAME_URI: |
|
921 |
result = new URIName((String)name); |
|
922 |
break; |
|
923 |
case NAME_IP: |
|
924 |
result = new IPAddressName((String)name); |
|
925 |
break; |
|
926 |
case NAME_OID: |
|
927 |
result = new OIDName((String)name); |
|
928 |
break; |
|
929 |
default: |
|
930 |
throw new IOException("unable to parse String names of type " |
|
931 |
+ type); |
|
932 |
} |
|
933 |
if (debug != null) { |
|
934 |
debug.println("X509CertSelector.makeGeneralNameInterface() " |
|
935 |
+ "result: " + result.toString()); |
|
936 |
} |
|
937 |
} else if (name instanceof byte[]) { |
|
938 |
DerValue val = new DerValue((byte[]) name); |
|
939 |
if (debug != null) { |
|
940 |
debug.println |
|
941 |
("X509CertSelector.makeGeneralNameInterface() is byte[]"); |
|
942 |
} |
|
943 |
||
944 |
switch (type) { |
|
945 |
case NAME_ANY: |
|
946 |
result = new OtherName(val); |
|
947 |
break; |
|
948 |
case NAME_RFC822: |
|
949 |
result = new RFC822Name(val); |
|
950 |
break; |
|
951 |
case NAME_DNS: |
|
952 |
result = new DNSName(val); |
|
953 |
break; |
|
954 |
case NAME_X400: |
|
955 |
result = new X400Address(val); |
|
956 |
break; |
|
957 |
case NAME_DIRECTORY: |
|
958 |
result = new X500Name(val); |
|
959 |
break; |
|
960 |
case NAME_EDI: |
|
961 |
result = new EDIPartyName(val); |
|
962 |
break; |
|
963 |
case NAME_URI: |
|
964 |
result = new URIName(val); |
|
965 |
break; |
|
966 |
case NAME_IP: |
|
967 |
result = new IPAddressName(val); |
|
968 |
break; |
|
969 |
case NAME_OID: |
|
970 |
result = new OIDName(val); |
|
971 |
break; |
|
972 |
default: |
|
973 |
throw new IOException("unable to parse byte array names of " |
|
974 |
+ "type " + type); |
|
975 |
} |
|
976 |
if (debug != null) { |
|
977 |
debug.println("X509CertSelector.makeGeneralNameInterface() result: " |
|
978 |
+ result.toString()); |
|
979 |
} |
|
980 |
} else { |
|
981 |
if (debug != null) { |
|
982 |
debug.println("X509CertSelector.makeGeneralName() input name " |
|
983 |
+ "not String or byte array"); |
|
984 |
} |
|
985 |
throw new IOException("name not String or byte array"); |
|
986 |
} |
|
987 |
return result; |
|
988 |
} |
|
989 |
||
990 |
||
991 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
992 |
* Sets the name constraints criterion. The {@code X509Certificate} |
2 | 993 |
* must have subject and subject alternative names that |
994 |
* meet the specified name constraints. |
|
995 |
* <p> |
|
996 |
* The name constraints are specified as a byte array. This byte array |
|
997 |
* should contain the DER encoded form of the name constraints, as they |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
998 |
* would appear in the NameConstraints structure defined in RFC 5280 |
2 | 999 |
* and X.509. The ASN.1 definition of this structure appears below. |
1000 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1001 |
* <pre>{@code |
2 | 1002 |
* NameConstraints ::= SEQUENCE { |
1003 |
* permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
|
1004 |
* excludedSubtrees [1] GeneralSubtrees OPTIONAL } |
|
1005 |
* |
|
1006 |
* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree |
|
1007 |
* |
|
1008 |
* GeneralSubtree ::= SEQUENCE { |
|
1009 |
* base GeneralName, |
|
1010 |
* minimum [0] BaseDistance DEFAULT 0, |
|
1011 |
* maximum [1] BaseDistance OPTIONAL } |
|
1012 |
* |
|
1013 |
* BaseDistance ::= INTEGER (0..MAX) |
|
1014 |
* |
|
1015 |
* GeneralName ::= CHOICE { |
|
1016 |
* otherName [0] OtherName, |
|
1017 |
* rfc822Name [1] IA5String, |
|
1018 |
* dNSName [2] IA5String, |
|
1019 |
* x400Address [3] ORAddress, |
|
1020 |
* directoryName [4] Name, |
|
1021 |
* ediPartyName [5] EDIPartyName, |
|
1022 |
* uniformResourceIdentifier [6] IA5String, |
|
1023 |
* iPAddress [7] OCTET STRING, |
|
1024 |
* registeredID [8] OBJECT IDENTIFIER} |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1025 |
* }</pre> |
2 | 1026 |
* <p> |
1027 |
* Note that the byte array supplied here is cloned to protect against |
|
1028 |
* subsequent modifications. |
|
1029 |
* |
|
1030 |
* @param bytes a byte array containing the ASN.1 DER encoding of |
|
1031 |
* a NameConstraints extension to be used for checking |
|
1032 |
* name constraints. Only the value of the extension is |
|
1033 |
* included, not the OID or criticality flag. Can be |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1034 |
* {@code null}, |
2 | 1035 |
* in which case no name constraints check will be performed. |
1036 |
* @throws IOException if a parsing error occurs |
|
1037 |
* @see #getNameConstraints |
|
1038 |
*/ |
|
1039 |
public void setNameConstraints(byte[] bytes) throws IOException { |
|
1040 |
if (bytes == null) { |
|
1041 |
ncBytes = null; |
|
1042 |
nc = null; |
|
1043 |
} else { |
|
51 | 1044 |
ncBytes = bytes.clone(); |
2 | 1045 |
nc = new NameConstraintsExtension(FALSE, bytes); |
1046 |
} |
|
1047 |
} |
|
1048 |
||
1049 |
/** |
|
1050 |
* Sets the basic constraints constraint. If the value is greater than or |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1051 |
* equal to zero, {@code X509Certificates} must include a |
2 | 1052 |
* basicConstraints extension with |
1053 |
* a pathLen of at least this value. If the value is -2, only end-entity |
|
1054 |
* certificates are accepted. If the value is -1, no check is done. |
|
1055 |
* <p> |
|
1056 |
* This constraint is useful when building a certification path forward |
|
1057 |
* (from the target toward the trust anchor. If a partial path has been |
|
1058 |
* built, any candidate certificate must have a maxPathLen value greater |
|
1059 |
* than or equal to the number of certificates in the partial path. |
|
1060 |
* |
|
1061 |
* @param minMaxPathLen the value for the basic constraints constraint |
|
1062 |
* @throws IllegalArgumentException if the value is less than -2 |
|
1063 |
* @see #getBasicConstraints |
|
1064 |
*/ |
|
1065 |
public void setBasicConstraints(int minMaxPathLen) { |
|
1066 |
if (minMaxPathLen < -2) { |
|
1067 |
throw new IllegalArgumentException("basic constraints less than -2"); |
|
1068 |
} |
|
1069 |
basicConstraints = minMaxPathLen; |
|
1070 |
} |
|
1071 |
||
1072 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1073 |
* Sets the policy constraint. The {@code X509Certificate} must |
2 | 1074 |
* include at least one of the specified policies in its certificate |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1075 |
* policies extension. If {@code certPolicySet} is empty, then the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1076 |
* {@code X509Certificate} must include at least some specified policy |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1077 |
* in its certificate policies extension. If {@code certPolicySet} is |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1078 |
* {@code null}, no policy check will be performed. |
2 | 1079 |
* <p> |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1080 |
* Note that the {@code Set} is cloned to protect against |
2 | 1081 |
* subsequent modifications. |
1082 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1083 |
* @param certPolicySet a {@code Set} of certificate policy OIDs in |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1084 |
* string format (or {@code null}). Each OID is |
2 | 1085 |
* represented by a set of nonnegative integers |
1086 |
* separated by periods. |
|
1087 |
* @throws IOException if a parsing error occurs on the OID such as |
|
1088 |
* the first component is not 0, 1 or 2 or the second component is |
|
1089 |
* greater than 39. |
|
1090 |
* @see #getPolicy |
|
1091 |
*/ |
|
1092 |
public void setPolicy(Set<String> certPolicySet) throws IOException { |
|
1093 |
if (certPolicySet == null) { |
|
1094 |
policySet = null; |
|
1095 |
policy = null; |
|
1096 |
} else { |
|
1097 |
// Snapshot set and parse it |
|
1098 |
Set<String> tempSet = Collections.unmodifiableSet |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1099 |
(new HashSet<>(certPolicySet)); |
2 | 1100 |
/* Convert to Vector of ObjectIdentifiers */ |
1101 |
Iterator<String> i = tempSet.iterator(); |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1102 |
Vector<CertificatePolicyId> polIdVector = new Vector<>(); |
2 | 1103 |
while (i.hasNext()) { |
1104 |
Object o = i.next(); |
|
1105 |
if (!(o instanceof String)) { |
|
1106 |
throw new IOException("non String in certPolicySet"); |
|
1107 |
} |
|
1108 |
polIdVector.add(new CertificatePolicyId(new ObjectIdentifier( |
|
1109 |
(String)o))); |
|
1110 |
} |
|
1111 |
// If everything went OK, make the changes |
|
1112 |
policySet = tempSet; |
|
1113 |
policy = new CertificatePolicySet(polIdVector); |
|
1114 |
} |
|
1115 |
} |
|
1116 |
||
1117 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1118 |
* Sets the pathToNames criterion. The {@code X509Certificate} must |
2 | 1119 |
* not include name constraints that would prohibit building a |
1120 |
* path to the specified names. |
|
1121 |
* <p> |
|
1122 |
* This method allows the caller to specify, with a single method call, |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1123 |
* the complete set of names which the {@code X509Certificates}'s |
2 | 1124 |
* name constraints must permit. The specified value replaces |
1125 |
* the previous value for the pathToNames criterion. |
|
1126 |
* <p> |
|
1127 |
* This constraint is useful when building a certification path forward |
|
1128 |
* (from the target toward the trust anchor. If a partial path has been |
|
1129 |
* built, any candidate certificate must not include name constraints that |
|
1130 |
* would prohibit building a path to any of the names in the partial path. |
|
1131 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1132 |
* The {@code names} parameter (if not {@code null}) is a |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1133 |
* {@code Collection} with one |
2 | 1134 |
* entry for each name to be included in the pathToNames |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1135 |
* criterion. Each entry is a {@code List} whose first entry is an |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1136 |
* {@code Integer} (the name type, 0-8) and whose second |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1137 |
* entry is a {@code String} or a byte array (the name, in |
2 | 1138 |
* string or ASN.1 DER encoded form, respectively). |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1139 |
* There can be multiple names of the same type. If {@code null} |
2 | 1140 |
* is supplied as the value for this argument, no |
1141 |
* pathToNames check will be performed. |
|
1142 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1143 |
* Each name in the {@code Collection} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1144 |
* may be specified either as a {@code String} or as an ASN.1 encoded |
2 | 1145 |
* byte array. For more details about the formats used, see |
1146 |
* {@link #addPathToName(int type, String name) |
|
1147 |
* addPathToName(int type, String name)} and |
|
1148 |
* {@link #addPathToName(int type, byte [] name) |
|
1149 |
* addPathToName(int type, byte [] name)}. |
|
1150 |
* <p> |
|
1151 |
* <strong>Note:</strong> for distinguished names, specify the byte |
|
1152 |
* array form instead of the String form. See the note in |
|
1153 |
* {@link #addPathToName(int, String)} for more information. |
|
1154 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1155 |
* Note that the {@code names} parameter can contain duplicate |
2 | 1156 |
* names (same name and name type), but they may be removed from the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1157 |
* {@code Collection} of names returned by the |
2 | 1158 |
* {@link #getPathToNames getPathToNames} method. |
1159 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1160 |
* Note that a deep copy is performed on the {@code Collection} to |
2 | 1161 |
* protect against subsequent modifications. |
1162 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1163 |
* @param names a {@code Collection} with one entry per name |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1164 |
* (or {@code null}) |
2 | 1165 |
* @throws IOException if a parsing error occurs |
1166 |
* @see #getPathToNames |
|
1167 |
*/ |
|
1168 |
public void setPathToNames(Collection<List<?>> names) throws IOException { |
|
1169 |
if ((names == null) || names.isEmpty()) { |
|
1170 |
pathToNames = null; |
|
1171 |
pathToGeneralNames = null; |
|
1172 |
} else { |
|
1173 |
Set<List<?>> tempNames = cloneAndCheckNames(names); |
|
1174 |
pathToGeneralNames = parseNames(tempNames); |
|
1175 |
// Ensure that we either set both of these or neither |
|
1176 |
pathToNames = tempNames; |
|
1177 |
} |
|
1178 |
} |
|
1179 |
||
1180 |
// called from CertPathHelper |
|
1181 |
void setPathToNamesInternal(Set<GeneralNameInterface> names) { |
|
1182 |
// set names to non-null dummy value |
|
1183 |
// this breaks getPathToNames() |
|
1184 |
pathToNames = Collections.<List<?>>emptySet(); |
|
1185 |
pathToGeneralNames = names; |
|
1186 |
} |
|
1187 |
||
1188 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1189 |
* Adds a name to the pathToNames criterion. The {@code X509Certificate} |
2 | 1190 |
* must not include name constraints that would prohibit building a |
1191 |
* path to the specified name. |
|
1192 |
* <p> |
|
1193 |
* This method allows the caller to add a name to the set of names which |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1194 |
* the {@code X509Certificates}'s name constraints must permit. |
2 | 1195 |
* The specified name is added to any previous value for the |
1196 |
* pathToNames criterion. If the name is a duplicate, it may be ignored. |
|
1197 |
* <p> |
|
1198 |
* The name is provided in string format. RFC 822, DNS, and URI names |
|
1199 |
* use the well-established string formats for those types (subject to |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1200 |
* the restrictions included in RFC 5280). IPv4 address names are |
2 | 1201 |
* supplied using dotted quad notation. OID address names are represented |
1202 |
* as a series of nonnegative integers separated by periods. And |
|
1203 |
* directory names (distinguished names) are supplied in RFC 2253 format. |
|
1204 |
* No standard string format is defined for otherNames, X.400 names, |
|
1205 |
* EDI party names, IPv6 address names, or any other type of names. They |
|
1206 |
* should be specified using the |
|
1207 |
* {@link #addPathToName(int type, byte [] name) |
|
1208 |
* addPathToName(int type, byte [] name)} method. |
|
1209 |
* <p> |
|
1210 |
* <strong>Note:</strong> for distinguished names, use |
|
1211 |
* {@linkplain #addPathToName(int, byte[])} instead. |
|
1212 |
* This method should not be relied on as it can fail to match some |
|
1213 |
* certificates because of a loss of encoding information in the RFC 2253 |
|
1214 |
* String form of some distinguished names. |
|
1215 |
* |
|
1216 |
* @param type the name type (0-8, as specified in |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1217 |
* RFC 5280, section 4.2.1.6) |
2 | 1218 |
* @param name the name in string form |
1219 |
* @throws IOException if a parsing error occurs |
|
1220 |
*/ |
|
1221 |
public void addPathToName(int type, String name) throws IOException { |
|
1222 |
addPathToNameInternal(type, name); |
|
1223 |
} |
|
1224 |
||
1225 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1226 |
* Adds a name to the pathToNames criterion. The {@code X509Certificate} |
2 | 1227 |
* must not include name constraints that would prohibit building a |
1228 |
* path to the specified name. |
|
1229 |
* <p> |
|
1230 |
* This method allows the caller to add a name to the set of names which |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1231 |
* the {@code X509Certificates}'s name constraints must permit. |
2 | 1232 |
* The specified name is added to any previous value for the |
1233 |
* pathToNames criterion. If the name is a duplicate, it may be ignored. |
|
1234 |
* <p> |
|
1235 |
* The name is provided as a byte array. This byte array should contain |
|
1236 |
* the DER encoded name, as it would appear in the GeneralName structure |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1237 |
* defined in RFC 5280 and X.509. The ASN.1 definition of this structure |
2 | 1238 |
* appears in the documentation for |
1239 |
* {@link #addSubjectAlternativeName(int type, byte [] name) |
|
1240 |
* addSubjectAlternativeName(int type, byte [] name)}. |
|
1241 |
* <p> |
|
1242 |
* Note that the byte array supplied here is cloned to protect against |
|
1243 |
* subsequent modifications. |
|
1244 |
* |
|
1245 |
* @param type the name type (0-8, as specified in |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1246 |
* RFC 5280, section 4.2.1.6) |
2 | 1247 |
* @param name a byte array containing the name in ASN.1 DER encoded form |
1248 |
* @throws IOException if a parsing error occurs |
|
1249 |
*/ |
|
1250 |
public void addPathToName(int type, byte [] name) throws IOException { |
|
1251 |
// clone because byte arrays are modifiable |
|
1252 |
addPathToNameInternal(type, name.clone()); |
|
1253 |
} |
|
1254 |
||
1255 |
/** |
|
1256 |
* A private method that adds a name (String or byte array) to the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1257 |
* pathToNames criterion. The {@code X509Certificate} must contain |
2 | 1258 |
* the specified pathToName. |
1259 |
* |
|
1260 |
* @param type the name type (0-8, as specified in |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1261 |
* RFC 5280, section 4.2.1.6) |
2 | 1262 |
* @param name the name in string or byte array form |
1263 |
* @throws IOException if an encoding error occurs (incorrect form for DN) |
|
1264 |
*/ |
|
1265 |
private void addPathToNameInternal(int type, Object name) |
|
1266 |
throws IOException { |
|
1267 |
// First, ensure that the name parses |
|
1268 |
GeneralNameInterface tempName = makeGeneralNameInterface(type, name); |
|
1269 |
if (pathToGeneralNames == null) { |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1270 |
pathToNames = new HashSet<>(); |
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1271 |
pathToGeneralNames = new HashSet<>(); |
2 | 1272 |
} |
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1273 |
List<Object> list = new ArrayList<>(2); |
2 | 1274 |
list.add(Integer.valueOf(type)); |
1275 |
list.add(name); |
|
1276 |
pathToNames.add(list); |
|
1277 |
pathToGeneralNames.add(tempName); |
|
1278 |
} |
|
1279 |
||
1280 |
/** |
|
1281 |
* Returns the certificateEquals criterion. The specified |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1282 |
* {@code X509Certificate} must be equal to the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1283 |
* {@code X509Certificate} passed to the {@code match} method. |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1284 |
* If {@code null}, this check is not applied. |
2 | 1285 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1286 |
* @return the {@code X509Certificate} to match (or {@code null}) |
2 | 1287 |
* @see #setCertificate |
1288 |
*/ |
|
1289 |
public X509Certificate getCertificate() { |
|
1290 |
return x509Cert; |
|
1291 |
} |
|
1292 |
||
1293 |
/** |
|
1294 |
* Returns the serialNumber criterion. The specified serial number |
|
1295 |
* must match the certificate serial number in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1296 |
* {@code X509Certificate}. If {@code null}, any certificate |
2 | 1297 |
* serial number will do. |
1298 |
* |
|
1299 |
* @return the certificate serial number to match |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1300 |
* (or {@code null}) |
2 | 1301 |
* @see #setSerialNumber |
1302 |
*/ |
|
1303 |
public BigInteger getSerialNumber() { |
|
1304 |
return serialNumber; |
|
1305 |
} |
|
1306 |
||
1307 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1308 |
* Returns the issuer criterion as an {@code X500Principal}. This |
2 | 1309 |
* distinguished name must match the issuer distinguished name in the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1310 |
* {@code X509Certificate}. If {@code null}, the issuer criterion |
2 | 1311 |
* is disabled and any issuer distinguished name will do. |
1312 |
* |
|
1313 |
* @return the required issuer distinguished name as X500Principal |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1314 |
* (or {@code null}) |
2 | 1315 |
* @since 1.5 |
1316 |
*/ |
|
1317 |
public X500Principal getIssuer() { |
|
1318 |
return issuer; |
|
1319 |
} |
|
1320 |
||
1321 |
/** |
|
1322 |
* <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or |
|
1323 |
* {@linkplain #getIssuerAsBytes()} instead. This method should not be |
|
1324 |
* relied on as it can fail to match some certificates because of a loss of |
|
1325 |
* encoding information in the RFC 2253 String form of some distinguished |
|
1326 |
* names. |
|
1327 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1328 |
* Returns the issuer criterion as a {@code String}. This |
2 | 1329 |
* distinguished name must match the issuer distinguished name in the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1330 |
* {@code X509Certificate}. If {@code null}, the issuer criterion |
2 | 1331 |
* is disabled and any issuer distinguished name will do. |
1332 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1333 |
* If the value returned is not {@code null}, it is a |
2 | 1334 |
* distinguished name, in RFC 2253 format. |
1335 |
* |
|
1336 |
* @return the required issuer distinguished name in RFC 2253 format |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1337 |
* (or {@code null}) |
2 | 1338 |
*/ |
1339 |
public String getIssuerAsString() { |
|
1340 |
return (issuer == null ? null : issuer.getName()); |
|
1341 |
} |
|
1342 |
||
1343 |
/** |
|
1344 |
* Returns the issuer criterion as a byte array. This distinguished name |
|
1345 |
* must match the issuer distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1346 |
* {@code X509Certificate}. If {@code null}, the issuer criterion |
2 | 1347 |
* is disabled and any issuer distinguished name will do. |
1348 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1349 |
* If the value returned is not {@code null}, it is a byte |
2 | 1350 |
* array containing a single DER encoded distinguished name, as defined in |
1351 |
* X.501. The ASN.1 notation for this structure is supplied in the |
|
1352 |
* documentation for |
|
1353 |
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}. |
|
1354 |
* <p> |
|
1355 |
* Note that the byte array returned is cloned to protect against |
|
1356 |
* subsequent modifications. |
|
1357 |
* |
|
1358 |
* @return a byte array containing the required issuer distinguished name |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1359 |
* in ASN.1 DER format (or {@code null}) |
2 | 1360 |
* @throws IOException if an encoding error occurs |
1361 |
*/ |
|
1362 |
public byte[] getIssuerAsBytes() throws IOException { |
|
1363 |
return (issuer == null ? null: issuer.getEncoded()); |
|
1364 |
} |
|
1365 |
||
1366 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1367 |
* Returns the subject criterion as an {@code X500Principal}. This |
2 | 1368 |
* distinguished name must match the subject distinguished name in the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1369 |
* {@code X509Certificate}. If {@code null}, the subject criterion |
2 | 1370 |
* is disabled and any subject distinguished name will do. |
1371 |
* |
|
1372 |
* @return the required subject distinguished name as X500Principal |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1373 |
* (or {@code null}) |
2 | 1374 |
* @since 1.5 |
1375 |
*/ |
|
1376 |
public X500Principal getSubject() { |
|
1377 |
return subject; |
|
1378 |
} |
|
1379 |
||
1380 |
/** |
|
1381 |
* <strong>Denigrated</strong>, use {@linkplain #getSubject()} or |
|
1382 |
* {@linkplain #getSubjectAsBytes()} instead. This method should not be |
|
1383 |
* relied on as it can fail to match some certificates because of a loss of |
|
1384 |
* encoding information in the RFC 2253 String form of some distinguished |
|
1385 |
* names. |
|
1386 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1387 |
* Returns the subject criterion as a {@code String}. This |
2 | 1388 |
* distinguished name must match the subject distinguished name in the |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1389 |
* {@code X509Certificate}. If {@code null}, the subject criterion |
2 | 1390 |
* is disabled and any subject distinguished name will do. |
1391 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1392 |
* If the value returned is not {@code null}, it is a |
2 | 1393 |
* distinguished name, in RFC 2253 format. |
1394 |
* |
|
1395 |
* @return the required subject distinguished name in RFC 2253 format |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1396 |
* (or {@code null}) |
2 | 1397 |
*/ |
1398 |
public String getSubjectAsString() { |
|
1399 |
return (subject == null ? null : subject.getName()); |
|
1400 |
} |
|
1401 |
||
1402 |
/** |
|
1403 |
* Returns the subject criterion as a byte array. This distinguished name |
|
1404 |
* must match the subject distinguished name in the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1405 |
* {@code X509Certificate}. If {@code null}, the subject criterion |
2 | 1406 |
* is disabled and any subject distinguished name will do. |
1407 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1408 |
* If the value returned is not {@code null}, it is a byte |
2 | 1409 |
* array containing a single DER encoded distinguished name, as defined in |
1410 |
* X.501. The ASN.1 notation for this structure is supplied in the |
|
1411 |
* documentation for |
|
1412 |
* {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}. |
|
1413 |
* <p> |
|
1414 |
* Note that the byte array returned is cloned to protect against |
|
1415 |
* subsequent modifications. |
|
1416 |
* |
|
1417 |
* @return a byte array containing the required subject distinguished name |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1418 |
* in ASN.1 DER format (or {@code null}) |
2 | 1419 |
* @throws IOException if an encoding error occurs |
1420 |
*/ |
|
1421 |
public byte[] getSubjectAsBytes() throws IOException { |
|
1422 |
return (subject == null ? null : subject.getEncoded()); |
|
1423 |
} |
|
1424 |
||
1425 |
/** |
|
1426 |
* Returns the subjectKeyIdentifier criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1427 |
* {@code X509Certificate} must contain a SubjectKeyIdentifier |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1428 |
* extension with the specified value. If {@code null}, no |
2 | 1429 |
* subjectKeyIdentifier check will be done. |
1430 |
* <p> |
|
1431 |
* Note that the byte array returned is cloned to protect against |
|
1432 |
* subsequent modifications. |
|
1433 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1434 |
* @return the key identifier (or {@code null}) |
2 | 1435 |
* @see #setSubjectKeyIdentifier |
1436 |
*/ |
|
1437 |
public byte[] getSubjectKeyIdentifier() { |
|
1438 |
if (subjectKeyID == null) { |
|
1439 |
return null; |
|
1440 |
} |
|
51 | 1441 |
return subjectKeyID.clone(); |
2 | 1442 |
} |
1443 |
||
1444 |
/** |
|
1445 |
* Returns the authorityKeyIdentifier criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1446 |
* {@code X509Certificate} must contain a AuthorityKeyIdentifier |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1447 |
* extension with the specified value. If {@code null}, no |
2 | 1448 |
* authorityKeyIdentifier check will be done. |
1449 |
* <p> |
|
1450 |
* Note that the byte array returned is cloned to protect against |
|
1451 |
* subsequent modifications. |
|
1452 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1453 |
* @return the key identifier (or {@code null}) |
2 | 1454 |
* @see #setAuthorityKeyIdentifier |
1455 |
*/ |
|
1456 |
public byte[] getAuthorityKeyIdentifier() { |
|
1457 |
if (authorityKeyID == null) { |
|
1458 |
return null; |
|
1459 |
} |
|
51 | 1460 |
return authorityKeyID.clone(); |
2 | 1461 |
} |
1462 |
||
1463 |
/** |
|
1464 |
* Returns the certificateValid criterion. The specified date must fall |
|
1465 |
* within the certificate validity period for the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1466 |
* {@code X509Certificate}. If {@code null}, no certificateValid |
2 | 1467 |
* check will be done. |
1468 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1469 |
* Note that the {@code Date} returned is cloned to protect against |
2 | 1470 |
* subsequent modifications. |
1471 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1472 |
* @return the {@code Date} to check (or {@code null}) |
2 | 1473 |
* @see #setCertificateValid |
1474 |
*/ |
|
1475 |
public Date getCertificateValid() { |
|
1476 |
if (certificateValid == null) { |
|
1477 |
return null; |
|
1478 |
} |
|
1479 |
return (Date)certificateValid.clone(); |
|
1480 |
} |
|
1481 |
||
1482 |
/** |
|
1483 |
* Returns the privateKeyValid criterion. The specified date must fall |
|
1484 |
* within the private key validity period for the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1485 |
* {@code X509Certificate}. If {@code null}, no privateKeyValid |
2 | 1486 |
* check will be done. |
1487 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1488 |
* Note that the {@code Date} returned is cloned to protect against |
2 | 1489 |
* subsequent modifications. |
1490 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1491 |
* @return the {@code Date} to check (or {@code null}) |
2 | 1492 |
* @see #setPrivateKeyValid |
1493 |
*/ |
|
1494 |
public Date getPrivateKeyValid() { |
|
1495 |
if (privateKeyValid == null) { |
|
1496 |
return null; |
|
1497 |
} |
|
1498 |
return (Date)privateKeyValid.clone(); |
|
1499 |
} |
|
1500 |
||
1501 |
/** |
|
1502 |
* Returns the subjectPublicKeyAlgID criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1503 |
* {@code X509Certificate} must contain a subject public key |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1504 |
* with the specified algorithm. If {@code null}, no |
2 | 1505 |
* subjectPublicKeyAlgID check will be done. |
1506 |
* |
|
1507 |
* @return the object identifier (OID) of the signature algorithm to check |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1508 |
* for (or {@code null}). An OID is represented by a set of |
2 | 1509 |
* nonnegative integers separated by periods. |
1510 |
* @see #setSubjectPublicKeyAlgID |
|
1511 |
*/ |
|
1512 |
public String getSubjectPublicKeyAlgID() { |
|
1513 |
if (subjectPublicKeyAlgID == null) { |
|
1514 |
return null; |
|
1515 |
} |
|
1516 |
return subjectPublicKeyAlgID.toString(); |
|
1517 |
} |
|
1518 |
||
1519 |
/** |
|
1520 |
* Returns the subjectPublicKey criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1521 |
* {@code X509Certificate} must contain the specified subject |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1522 |
* public key. If {@code null}, no subjectPublicKey check will be done. |
2 | 1523 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1524 |
* @return the subject public key to check for (or {@code null}) |
2 | 1525 |
* @see #setSubjectPublicKey |
1526 |
*/ |
|
1527 |
public PublicKey getSubjectPublicKey() { |
|
1528 |
return subjectPublicKey; |
|
1529 |
} |
|
1530 |
||
1531 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1532 |
* Returns the keyUsage criterion. The {@code X509Certificate} |
2 | 1533 |
* must allow the specified keyUsage values. If null, no keyUsage |
1534 |
* check will be done. |
|
1535 |
* <p> |
|
1536 |
* Note that the boolean array returned is cloned to protect against |
|
1537 |
* subsequent modifications. |
|
1538 |
* |
|
1539 |
* @return a boolean array in the same format as the boolean |
|
1540 |
* array returned by |
|
1541 |
* {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1542 |
* Or {@code null}. |
2 | 1543 |
* @see #setKeyUsage |
1544 |
*/ |
|
1545 |
public boolean[] getKeyUsage() { |
|
1546 |
if (keyUsage == null) { |
|
1547 |
return null; |
|
1548 |
} |
|
51 | 1549 |
return keyUsage.clone(); |
2 | 1550 |
} |
1551 |
||
1552 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1553 |
* Returns the extendedKeyUsage criterion. The {@code X509Certificate} |
2 | 1554 |
* must allow the specified key purposes in its extended key usage |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1555 |
* extension. If the {@code keyPurposeSet} returned is empty or |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1556 |
* {@code null}, no extendedKeyUsage check will be done. Note that an |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1557 |
* {@code X509Certificate} that has no extendedKeyUsage extension |
2 | 1558 |
* implicitly allows all key purposes. |
1559 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1560 |
* @return an immutable {@code Set} of key purpose OIDs in string |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1561 |
* format (or {@code null}) |
2 | 1562 |
* @see #setExtendedKeyUsage |
1563 |
*/ |
|
1564 |
public Set<String> getExtendedKeyUsage() { |
|
1565 |
return keyPurposeSet; |
|
1566 |
} |
|
1567 |
||
1568 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1569 |
* Indicates if the {@code X509Certificate} must contain all |
2 | 1570 |
* or at least one of the subjectAlternativeNames |
1571 |
* specified in the {@link #setSubjectAlternativeNames |
|
1572 |
* setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1573 |
* addSubjectAlternativeName} methods. If {@code true}, |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1574 |
* the {@code X509Certificate} must contain all of the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1575 |
* specified subject alternative names. If {@code false}, the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1576 |
* {@code X509Certificate} must contain at least one of the |
2 | 1577 |
* specified subject alternative names. |
1578 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1579 |
* @return {@code true} if the flag is enabled; |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1580 |
* {@code false} if the flag is disabled. The flag is |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1581 |
* {@code true} by default. |
2 | 1582 |
* @see #setMatchAllSubjectAltNames |
1583 |
*/ |
|
1584 |
public boolean getMatchAllSubjectAltNames() { |
|
1585 |
return matchAllSubjectAltNames; |
|
1586 |
} |
|
1587 |
||
1588 |
/** |
|
1589 |
* Returns a copy of the subjectAlternativeNames criterion. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1590 |
* The {@code X509Certificate} must contain all or at least one |
2 | 1591 |
* of the specified subjectAlternativeNames, depending on the value |
1592 |
* of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames |
|
1593 |
* getMatchAllSubjectAltNames}). If the value returned is |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1594 |
* {@code null}, no subjectAlternativeNames check will be performed. |
2 | 1595 |
* <p> |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1596 |
* If the value returned is not {@code null}, it is a |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1597 |
* {@code Collection} with |
2 | 1598 |
* one entry for each name to be included in the subject alternative name |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1599 |
* criterion. Each entry is a {@code List} whose first entry is an |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1600 |
* {@code Integer} (the name type, 0-8) and whose second |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1601 |
* entry is a {@code String} or a byte array (the name, in |
2 | 1602 |
* string or ASN.1 DER encoded form, respectively). |
1603 |
* There can be multiple names of the same type. Note that the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1604 |
* {@code Collection} returned may contain duplicate names (same name |
2 | 1605 |
* and name type). |
1606 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1607 |
* Each subject alternative name in the {@code Collection} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1608 |
* may be specified either as a {@code String} or as an ASN.1 encoded |
2 | 1609 |
* byte array. For more details about the formats used, see |
1610 |
* {@link #addSubjectAlternativeName(int type, String name) |
|
1611 |
* addSubjectAlternativeName(int type, String name)} and |
|
1612 |
* {@link #addSubjectAlternativeName(int type, byte [] name) |
|
1613 |
* addSubjectAlternativeName(int type, byte [] name)}. |
|
1614 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1615 |
* Note that a deep copy is performed on the {@code Collection} to |
2 | 1616 |
* protect against subsequent modifications. |
1617 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1618 |
* @return a {@code Collection} of names (or {@code null}) |
2 | 1619 |
* @see #setSubjectAlternativeNames |
1620 |
*/ |
|
1621 |
public Collection<List<?>> getSubjectAlternativeNames() { |
|
1622 |
if (subjectAlternativeNames == null) { |
|
1623 |
return null; |
|
1624 |
} |
|
1625 |
return cloneNames(subjectAlternativeNames); |
|
1626 |
} |
|
1627 |
||
1628 |
/** |
|
1629 |
* Clone an object of the form passed to |
|
1630 |
* setSubjectAlternativeNames and setPathToNames. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1631 |
* Throw a {@code RuntimeException} if the argument is malformed. |
2 | 1632 |
* <p> |
1633 |
* This method wraps cloneAndCheckNames, changing any |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1634 |
* {@code IOException} into a {@code RuntimeException}. This |
2 | 1635 |
* method should be used when the object being |
1636 |
* cloned has already been checked, so there should never be any exceptions. |
|
1637 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1638 |
* @param names a {@code Collection} with one entry per name. |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1639 |
* Each entry is a {@code List} whose first entry |
2 | 1640 |
* is an Integer (the name type, 0-8) and whose second |
1641 |
* entry is a String or a byte array (the name, in |
|
1642 |
* string or ASN.1 DER encoded form, respectively). |
|
1643 |
* There can be multiple names of the same type. Null |
|
1644 |
* is not an acceptable value. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1645 |
* @return a deep copy of the specified {@code Collection} |
2 | 1646 |
* @throws RuntimeException if a parsing error occurs |
1647 |
*/ |
|
1648 |
private static Set<List<?>> cloneNames(Collection<List<?>> names) { |
|
1649 |
try { |
|
1650 |
return cloneAndCheckNames(names); |
|
1651 |
} catch (IOException e) { |
|
1652 |
throw new RuntimeException("cloneNames encountered IOException: " + |
|
1653 |
e.getMessage()); |
|
1654 |
} |
|
1655 |
} |
|
1656 |
||
1657 |
/** |
|
1658 |
* Clone and check an argument of the form passed to |
|
1659 |
* setSubjectAlternativeNames and setPathToNames. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1660 |
* Throw an {@code IOException} if the argument is malformed. |
2 | 1661 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1662 |
* @param names a {@code Collection} with one entry per name. |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1663 |
* Each entry is a {@code List} whose first entry |
2 | 1664 |
* is an Integer (the name type, 0-8) and whose second |
1665 |
* entry is a String or a byte array (the name, in |
|
1666 |
* string or ASN.1 DER encoded form, respectively). |
|
1667 |
* There can be multiple names of the same type. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1668 |
* {@code null} is not an acceptable value. |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1669 |
* @return a deep copy of the specified {@code Collection} |
2 | 1670 |
* @throws IOException if a parsing error occurs |
1671 |
*/ |
|
1672 |
private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException { |
|
1673 |
// Copy the Lists and Collection |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1674 |
Set<List<?>> namesCopy = new HashSet<>(); |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1675 |
for (List<?> o : names) |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1676 |
{ |
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
1677 |
namesCopy.add(new ArrayList<>(o)); |
2 | 1678 |
} |
1679 |
||
1680 |
// Check the contents of the Lists and clone any byte arrays |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1681 |
for (List<?> list : namesCopy) { |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1682 |
@SuppressWarnings("unchecked") // See javadoc for parameter "names". |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1683 |
List<Object> nameList = (List<Object>)list; |
2 | 1684 |
if (nameList.size() != 2) { |
1685 |
throw new IOException("name list size not 2"); |
|
1686 |
} |
|
1687 |
Object o = nameList.get(0); |
|
1688 |
if (!(o instanceof Integer)) { |
|
1689 |
throw new IOException("expected an Integer"); |
|
1690 |
} |
|
1691 |
int nameType = ((Integer)o).intValue(); |
|
1692 |
if ((nameType < 0) || (nameType > 8)) { |
|
1693 |
throw new IOException("name type not 0-8"); |
|
1694 |
} |
|
1695 |
Object nameObject = nameList.get(1); |
|
1696 |
if (!(nameObject instanceof byte[]) && |
|
1697 |
!(nameObject instanceof String)) { |
|
1698 |
if (debug != null) { |
|
1699 |
debug.println("X509CertSelector.cloneAndCheckNames() " |
|
1700 |
+ "name not byte array"); |
|
1701 |
} |
|
1702 |
throw new IOException("name not byte array or String"); |
|
1703 |
} |
|
1704 |
if (nameObject instanceof byte[]) { |
|
1705 |
nameList.set(1, ((byte[]) nameObject).clone()); |
|
1706 |
} |
|
1707 |
} |
|
1708 |
return namesCopy; |
|
1709 |
} |
|
1710 |
||
1711 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1712 |
* Returns the name constraints criterion. The {@code X509Certificate} |
2 | 1713 |
* must have subject and subject alternative names that |
1714 |
* meet the specified name constraints. |
|
1715 |
* <p> |
|
1716 |
* The name constraints are returned as a byte array. This byte array |
|
1717 |
* contains the DER encoded form of the name constraints, as they |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
1718 |
* would appear in the NameConstraints structure defined in RFC 5280 |
2 | 1719 |
* and X.509. The ASN.1 notation for this structure is supplied in the |
1720 |
* documentation for |
|
1721 |
* {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}. |
|
1722 |
* <p> |
|
1723 |
* Note that the byte array returned is cloned to protect against |
|
1724 |
* subsequent modifications. |
|
1725 |
* |
|
1726 |
* @return a byte array containing the ASN.1 DER encoding of |
|
1727 |
* a NameConstraints extension used for checking name constraints. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1728 |
* {@code null} if no name constraints check will be performed. |
2 | 1729 |
* @see #setNameConstraints |
1730 |
*/ |
|
1731 |
public byte[] getNameConstraints() { |
|
1732 |
if (ncBytes == null) { |
|
1733 |
return null; |
|
1734 |
} else { |
|
51 | 1735 |
return ncBytes.clone(); |
2 | 1736 |
} |
1737 |
} |
|
1738 |
||
1739 |
/** |
|
1740 |
* Returns the basic constraints constraint. If the value is greater than |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1741 |
* or equal to zero, the {@code X509Certificates} must include a |
2 | 1742 |
* basicConstraints extension with a pathLen of at least this value. |
1743 |
* If the value is -2, only end-entity certificates are accepted. If |
|
1744 |
* the value is -1, no basicConstraints check is done. |
|
1745 |
* |
|
1746 |
* @return the value for the basic constraints constraint |
|
1747 |
* @see #setBasicConstraints |
|
1748 |
*/ |
|
1749 |
public int getBasicConstraints() { |
|
1750 |
return basicConstraints; |
|
1751 |
} |
|
1752 |
||
1753 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1754 |
* Returns the policy criterion. The {@code X509Certificate} must |
2 | 1755 |
* include at least one of the specified policies in its certificate policies |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1756 |
* extension. If the {@code Set} returned is empty, then the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1757 |
* {@code X509Certificate} must include at least some specified policy |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1758 |
* in its certificate policies extension. If the {@code Set} returned is |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1759 |
* {@code null}, no policy check will be performed. |
2 | 1760 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1761 |
* @return an immutable {@code Set} of certificate policy OIDs in |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1762 |
* string format (or {@code null}) |
2 | 1763 |
* @see #setPolicy |
1764 |
*/ |
|
1765 |
public Set<String> getPolicy() { |
|
1766 |
return policySet; |
|
1767 |
} |
|
1768 |
||
1769 |
/** |
|
1770 |
* Returns a copy of the pathToNames criterion. The |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1771 |
* {@code X509Certificate} must not include name constraints that would |
2 | 1772 |
* prohibit building a path to the specified names. If the value |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1773 |
* returned is {@code null}, no pathToNames check will be performed. |
2 | 1774 |
* <p> |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1775 |
* If the value returned is not {@code null}, it is a |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1776 |
* {@code Collection} with one |
2 | 1777 |
* entry for each name to be included in the pathToNames |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1778 |
* criterion. Each entry is a {@code List} whose first entry is an |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1779 |
* {@code Integer} (the name type, 0-8) and whose second |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1780 |
* entry is a {@code String} or a byte array (the name, in |
2 | 1781 |
* string or ASN.1 DER encoded form, respectively). |
1782 |
* There can be multiple names of the same type. Note that the |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1783 |
* {@code Collection} returned may contain duplicate names (same |
2 | 1784 |
* name and name type). |
1785 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1786 |
* Each name in the {@code Collection} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1787 |
* may be specified either as a {@code String} or as an ASN.1 encoded |
2 | 1788 |
* byte array. For more details about the formats used, see |
1789 |
* {@link #addPathToName(int type, String name) |
|
1790 |
* addPathToName(int type, String name)} and |
|
1791 |
* {@link #addPathToName(int type, byte [] name) |
|
1792 |
* addPathToName(int type, byte [] name)}. |
|
1793 |
* <p> |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1794 |
* Note that a deep copy is performed on the {@code Collection} to |
2 | 1795 |
* protect against subsequent modifications. |
1796 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1797 |
* @return a {@code Collection} of names (or {@code null}) |
2 | 1798 |
* @see #setPathToNames |
1799 |
*/ |
|
1800 |
public Collection<List<?>> getPathToNames() { |
|
1801 |
if (pathToNames == null) { |
|
1802 |
return null; |
|
1803 |
} |
|
1804 |
return cloneNames(pathToNames); |
|
1805 |
} |
|
1806 |
||
1807 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1808 |
* Return a printable representation of the {@code CertSelector}. |
2 | 1809 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1810 |
* @return a {@code String} describing the contents of the |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1811 |
* {@code CertSelector} |
2 | 1812 |
*/ |
1813 |
public String toString() { |
|
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
21334
diff
changeset
|
1814 |
StringBuilder sb = new StringBuilder(); |
2 | 1815 |
sb.append("X509CertSelector: [\n"); |
1816 |
if (x509Cert != null) { |
|
1817 |
sb.append(" Certificate: " + x509Cert.toString() + "\n"); |
|
1818 |
} |
|
1819 |
if (serialNumber != null) { |
|
1820 |
sb.append(" Serial Number: " + serialNumber.toString() + "\n"); |
|
1821 |
} |
|
1822 |
if (issuer != null) { |
|
1823 |
sb.append(" Issuer: " + getIssuerAsString() + "\n"); |
|
1824 |
} |
|
1825 |
if (subject != null) { |
|
1826 |
sb.append(" Subject: " + getSubjectAsString() + "\n"); |
|
1827 |
} |
|
1828 |
sb.append(" matchAllSubjectAltNames flag: " |
|
1829 |
+ String.valueOf(matchAllSubjectAltNames) + "\n"); |
|
1830 |
if (subjectAlternativeNames != null) { |
|
1831 |
sb.append(" SubjectAlternativeNames:\n"); |
|
1832 |
Iterator<List<?>> i = subjectAlternativeNames.iterator(); |
|
1833 |
while (i.hasNext()) { |
|
1834 |
List<?> list = i.next(); |
|
1835 |
sb.append(" type " + list.get(0) + |
|
1836 |
", name " + list.get(1) + "\n"); |
|
1837 |
} |
|
1838 |
} |
|
1839 |
if (subjectKeyID != null) { |
|
1840 |
HexDumpEncoder enc = new HexDumpEncoder(); |
|
1841 |
sb.append(" Subject Key Identifier: " + |
|
1842 |
enc.encodeBuffer(subjectKeyID) + "\n"); |
|
1843 |
} |
|
1844 |
if (authorityKeyID != null) { |
|
1845 |
HexDumpEncoder enc = new HexDumpEncoder(); |
|
1846 |
sb.append(" Authority Key Identifier: " + |
|
1847 |
enc.encodeBuffer(authorityKeyID) + "\n"); |
|
1848 |
} |
|
1849 |
if (certificateValid != null) { |
|
1850 |
sb.append(" Certificate Valid: " + |
|
1851 |
certificateValid.toString() + "\n"); |
|
1852 |
} |
|
1853 |
if (privateKeyValid != null) { |
|
1854 |
sb.append(" Private Key Valid: " + |
|
1855 |
privateKeyValid.toString() + "\n"); |
|
1856 |
} |
|
1857 |
if (subjectPublicKeyAlgID != null) { |
|
1858 |
sb.append(" Subject Public Key AlgID: " + |
|
1859 |
subjectPublicKeyAlgID.toString() + "\n"); |
|
1860 |
} |
|
1861 |
if (subjectPublicKey != null) { |
|
1862 |
sb.append(" Subject Public Key: " + |
|
1863 |
subjectPublicKey.toString() + "\n"); |
|
1864 |
} |
|
1865 |
if (keyUsage != null) { |
|
1866 |
sb.append(" Key Usage: " + keyUsageToString(keyUsage) + "\n"); |
|
1867 |
} |
|
1868 |
if (keyPurposeSet != null) { |
|
1869 |
sb.append(" Extended Key Usage: " + |
|
1870 |
keyPurposeSet.toString() + "\n"); |
|
1871 |
} |
|
1872 |
if (policy != null) { |
|
1873 |
sb.append(" Policy: " + policy.toString() + "\n"); |
|
1874 |
} |
|
1875 |
if (pathToGeneralNames != null) { |
|
1876 |
sb.append(" Path to names:\n"); |
|
1877 |
Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator(); |
|
1878 |
while (i.hasNext()) { |
|
1879 |
sb.append(" " + i.next() + "\n"); |
|
1880 |
} |
|
1881 |
} |
|
1882 |
sb.append("]"); |
|
1883 |
return sb.toString(); |
|
1884 |
} |
|
1885 |
||
1886 |
// Copied from sun.security.x509.KeyUsageExtension |
|
1887 |
// (without calling the superclass) |
|
1888 |
/** |
|
1889 |
* Returns a printable representation of the KeyUsage. |
|
1890 |
*/ |
|
1891 |
private static String keyUsageToString(boolean[] k) { |
|
1892 |
String s = "KeyUsage [\n"; |
|
1893 |
try { |
|
1894 |
if (k[0]) { |
|
1895 |
s += " DigitalSignature\n"; |
|
1896 |
} |
|
1897 |
if (k[1]) { |
|
1898 |
s += " Non_repudiation\n"; |
|
1899 |
} |
|
1900 |
if (k[2]) { |
|
1901 |
s += " Key_Encipherment\n"; |
|
1902 |
} |
|
1903 |
if (k[3]) { |
|
1904 |
s += " Data_Encipherment\n"; |
|
1905 |
} |
|
1906 |
if (k[4]) { |
|
1907 |
s += " Key_Agreement\n"; |
|
1908 |
} |
|
1909 |
if (k[5]) { |
|
1910 |
s += " Key_CertSign\n"; |
|
1911 |
} |
|
1912 |
if (k[6]) { |
|
1913 |
s += " Crl_Sign\n"; |
|
1914 |
} |
|
1915 |
if (k[7]) { |
|
1916 |
s += " Encipher_Only\n"; |
|
1917 |
} |
|
1918 |
if (k[8]) { |
|
1919 |
s += " Decipher_Only\n"; |
|
1920 |
} |
|
1921 |
} catch (ArrayIndexOutOfBoundsException ex) {} |
|
1922 |
||
1923 |
s += "]\n"; |
|
1924 |
||
1925 |
return (s); |
|
1926 |
} |
|
1927 |
||
1928 |
/** |
|
1929 |
* Returns an Extension object given any X509Certificate and extension oid. |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1930 |
* Throw an {@code IOException} if the extension byte value is |
2 | 1931 |
* malformed. |
1932 |
* |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1933 |
* @param cert a {@code X509Certificate} |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1934 |
* @param extId an {@code integer} which specifies the extension index. |
2 | 1935 |
* Currently, the supported extensions are as follows: |
1936 |
* index 0 - PrivateKeyUsageExtension |
|
1937 |
* index 1 - SubjectAlternativeNameExtension |
|
1938 |
* index 2 - NameConstraintsExtension |
|
1939 |
* index 3 - CertificatePoliciesExtension |
|
1940 |
* index 4 - ExtendedKeyUsageExtension |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1941 |
* @return an {@code Extension} object whose real type is as specified |
2 | 1942 |
* by the extension oid. |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1943 |
* @throws IOException if cannot construct the {@code Extension} |
2 | 1944 |
* object with the extension encoding retrieved from the passed in |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1945 |
* {@code X509Certificate}. |
2 | 1946 |
*/ |
1947 |
private static Extension getExtensionObject(X509Certificate cert, int extId) |
|
1948 |
throws IOException { |
|
1949 |
if (cert instanceof X509CertImpl) { |
|
1950 |
X509CertImpl impl = (X509CertImpl)cert; |
|
1951 |
switch (extId) { |
|
1952 |
case PRIVATE_KEY_USAGE_ID: |
|
1953 |
return impl.getPrivateKeyUsageExtension(); |
|
1954 |
case SUBJECT_ALT_NAME_ID: |
|
1955 |
return impl.getSubjectAlternativeNameExtension(); |
|
1956 |
case NAME_CONSTRAINTS_ID: |
|
1957 |
return impl.getNameConstraintsExtension(); |
|
1958 |
case CERT_POLICIES_ID: |
|
1959 |
return impl.getCertificatePoliciesExtension(); |
|
1960 |
case EXTENDED_KEY_USAGE_ID: |
|
1961 |
return impl.getExtendedKeyUsageExtension(); |
|
1962 |
default: |
|
1963 |
return null; |
|
1964 |
} |
|
1965 |
} |
|
1966 |
byte[] rawExtVal = cert.getExtensionValue(EXTENSION_OIDS[extId]); |
|
1967 |
if (rawExtVal == null) { |
|
1968 |
return null; |
|
1969 |
} |
|
1970 |
DerInputStream in = new DerInputStream(rawExtVal); |
|
1971 |
byte[] encoded = in.getOctetString(); |
|
1972 |
switch (extId) { |
|
1973 |
case PRIVATE_KEY_USAGE_ID: |
|
1974 |
try { |
|
1975 |
return new PrivateKeyUsageExtension(FALSE, encoded); |
|
1976 |
} catch (CertificateException ex) { |
|
1977 |
throw new IOException(ex.getMessage()); |
|
1978 |
} |
|
1979 |
case SUBJECT_ALT_NAME_ID: |
|
1980 |
return new SubjectAlternativeNameExtension(FALSE, encoded); |
|
1981 |
case NAME_CONSTRAINTS_ID: |
|
1982 |
return new NameConstraintsExtension(FALSE, encoded); |
|
1983 |
case CERT_POLICIES_ID: |
|
1984 |
return new CertificatePoliciesExtension(FALSE, encoded); |
|
1985 |
case EXTENDED_KEY_USAGE_ID: |
|
1986 |
return new ExtendedKeyUsageExtension(FALSE, encoded); |
|
1987 |
default: |
|
1988 |
return null; |
|
1989 |
} |
|
1990 |
} |
|
1991 |
||
1992 |
/** |
|
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1993 |
* Decides whether a {@code Certificate} should be selected. |
2 | 1994 |
* |
18551
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1995 |
* @param cert the {@code Certificate} to be checked |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1996 |
* @return {@code true} if the {@code Certificate} should be |
882a3948c6e6
8017325: Cleanup of the javadoc <code> tag in java.security.cert
juh
parents:
10419
diff
changeset
|
1997 |
* selected, {@code false} otherwise |
2 | 1998 |
*/ |
1999 |
public boolean match(Certificate cert) { |
|
2000 |
if (!(cert instanceof X509Certificate)) { |
|
2001 |
return false; |
|
2002 |
} |
|
2003 |
X509Certificate xcert = (X509Certificate)cert; |
|
2004 |
||
2005 |
if (debug != null) { |
|
2006 |
debug.println("X509CertSelector.match(SN: " |
|
2007 |
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: " |
|
2008 |
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN() |
|
2009 |
+ ")"); |
|
2010 |
} |
|
2011 |
||
2012 |
/* match on X509Certificate */ |
|
2013 |
if (x509Cert != null) { |
|
2014 |
if (!x509Cert.equals(xcert)) { |
|
2015 |
if (debug != null) { |
|
2016 |
debug.println("X509CertSelector.match: " |
|
2017 |
+ "certs don't match"); |
|
2018 |
} |
|
2019 |
return false; |
|
2020 |
} |
|
2021 |
} |
|
2022 |
||
2023 |
/* match on serial number */ |
|
2024 |
if (serialNumber != null) { |
|
2025 |
if (!serialNumber.equals(xcert.getSerialNumber())) { |
|
2026 |
if (debug != null) { |
|
2027 |
debug.println("X509CertSelector.match: " |
|
2028 |
+ "serial numbers don't match"); |
|
2029 |
} |
|
2030 |
return false; |
|
2031 |
} |
|
2032 |
} |
|
2033 |
||
2034 |
/* match on issuer name */ |
|
2035 |
if (issuer != null) { |
|
2036 |
if (!issuer.equals(xcert.getIssuerX500Principal())) { |
|
2037 |
if (debug != null) { |
|
2038 |
debug.println("X509CertSelector.match: " |
|
2039 |
+ "issuer DNs don't match"); |
|
2040 |
} |
|
2041 |
return false; |
|
2042 |
} |
|
2043 |
} |
|
2044 |
||
2045 |
/* match on subject name */ |
|
2046 |
if (subject != null) { |
|
2047 |
if (!subject.equals(xcert.getSubjectX500Principal())) { |
|
2048 |
if (debug != null) { |
|
2049 |
debug.println("X509CertSelector.match: " |
|
2050 |
+ "subject DNs don't match"); |
|
2051 |
} |
|
2052 |
return false; |
|
2053 |
} |
|
2054 |
} |
|
2055 |
||
2056 |
/* match on certificate validity range */ |
|
2057 |
if (certificateValid != null) { |
|
2058 |
try { |
|
2059 |
xcert.checkValidity(certificateValid); |
|
2060 |
} catch (CertificateException e) { |
|
2061 |
if (debug != null) { |
|
2062 |
debug.println("X509CertSelector.match: " |
|
2063 |
+ "certificate not within validity period"); |
|
2064 |
} |
|
2065 |
return false; |
|
2066 |
} |
|
2067 |
} |
|
2068 |
||
2069 |
/* match on subject public key */ |
|
2070 |
if (subjectPublicKeyBytes != null) { |
|
2071 |
byte[] certKey = xcert.getPublicKey().getEncoded(); |
|
2072 |
if (!Arrays.equals(subjectPublicKeyBytes, certKey)) { |
|
2073 |
if (debug != null) { |
|
2074 |
debug.println("X509CertSelector.match: " |
|
2075 |
+ "subject public keys don't match"); |
|
2076 |
} |
|
2077 |
return false; |
|
2078 |
} |
|
2079 |
} |
|
2080 |
||
2081 |
boolean result = matchBasicConstraints(xcert) |
|
2082 |
&& matchKeyUsage(xcert) |
|
2083 |
&& matchExtendedKeyUsage(xcert) |
|
2084 |
&& matchSubjectKeyID(xcert) |
|
2085 |
&& matchAuthorityKeyID(xcert) |
|
2086 |
&& matchPrivateKeyValid(xcert) |
|
2087 |
&& matchSubjectPublicKeyAlgID(xcert) |
|
2088 |
&& matchPolicy(xcert) |
|
2089 |
&& matchSubjectAlternativeNames(xcert) |
|
2090 |
&& matchPathToNames(xcert) |
|
2091 |
&& matchNameConstraints(xcert); |
|
2092 |
||
2093 |
if (result && (debug != null)) { |
|
2094 |
debug.println("X509CertSelector.match returning: true"); |
|
2095 |
} |
|
2096 |
return result; |
|
2097 |
} |
|
2098 |
||
2099 |
/* match on subject key identifier extension value */ |
|
2100 |
private boolean matchSubjectKeyID(X509Certificate xcert) { |
|
2101 |
if (subjectKeyID == null) { |
|
2102 |
return true; |
|
2103 |
} |
|
2104 |
try { |
|
2105 |
byte[] extVal = xcert.getExtensionValue("2.5.29.14"); |
|
2106 |
if (extVal == null) { |
|
2107 |
if (debug != null) { |
|
2108 |
debug.println("X509CertSelector.match: " |
|
2109 |
+ "no subject key ID extension"); |
|
2110 |
} |
|
2111 |
return false; |
|
2112 |
} |
|
2113 |
DerInputStream in = new DerInputStream(extVal); |
|
2114 |
byte[] certSubjectKeyID = in.getOctetString(); |
|
2115 |
if (certSubjectKeyID == null || |
|
2116 |
!Arrays.equals(subjectKeyID, certSubjectKeyID)) { |
|
2117 |
if (debug != null) { |
|
55459
00f29fe98900
8133489: Better messaging for PKIX path validation matching
coffeys
parents:
47216
diff
changeset
|
2118 |
debug.println("X509CertSelector.match: subject key IDs " + |
00f29fe98900
8133489: Better messaging for PKIX path validation matching
coffeys
parents:
47216
diff
changeset
|
2119 |
"don't match\nX509CertSelector.match: subjectKeyID: " + |
00f29fe98900
8133489: Better messaging for PKIX path validation matching
coffeys
parents:
47216
diff
changeset
|
2120 |
Arrays.toString(subjectKeyID) + |
00f29fe98900
8133489: Better messaging for PKIX path validation matching
coffeys
parents:
47216
diff
changeset
|
2121 |
"\nX509CertSelector.match: certSubjectKeyID: " + |
00f29fe98900
8133489: Better messaging for PKIX path validation matching
coffeys
parents:
47216
diff
changeset
|
2122 |
Arrays.toString(certSubjectKeyID)); |
2 | 2123 |
} |
2124 |
return false; |
|
2125 |
} |
|
2126 |
} catch (IOException ex) { |
|
2127 |
if (debug != null) { |
|
2128 |
debug.println("X509CertSelector.match: " |
|
2129 |
+ "exception in subject key ID check"); |
|
2130 |
} |
|
2131 |
return false; |
|
2132 |
} |
|
2133 |
return true; |
|
2134 |
} |
|
2135 |
||
2136 |
/* match on authority key identifier extension value */ |
|
2137 |
private boolean matchAuthorityKeyID(X509Certificate xcert) { |
|
2138 |
if (authorityKeyID == null) { |
|
2139 |
return true; |
|
2140 |
} |
|
2141 |
try { |
|
2142 |
byte[] extVal = xcert.getExtensionValue("2.5.29.35"); |
|
2143 |
if (extVal == null) { |
|
2144 |
if (debug != null) { |
|
2145 |
debug.println("X509CertSelector.match: " |
|
2146 |
+ "no authority key ID extension"); |
|
2147 |
} |
|
2148 |
return false; |
|
2149 |
} |
|
2150 |
DerInputStream in = new DerInputStream(extVal); |
|
2151 |
byte[] certAuthKeyID = in.getOctetString(); |
|
2152 |
if (certAuthKeyID == null || |
|
2153 |
!Arrays.equals(authorityKeyID, certAuthKeyID)) { |
|
2154 |
if (debug != null) { |
|
2155 |
debug.println("X509CertSelector.match: " |
|
2156 |
+ "authority key IDs don't match"); |
|
2157 |
} |
|
2158 |
return false; |
|
2159 |
} |
|
2160 |
} catch (IOException ex) { |
|
2161 |
if (debug != null) { |
|
2162 |
debug.println("X509CertSelector.match: " |
|
2163 |
+ "exception in authority key ID check"); |
|
2164 |
} |
|
2165 |
return false; |
|
2166 |
} |
|
2167 |
return true; |
|
2168 |
} |
|
2169 |
||
2170 |
/* match on private key usage range */ |
|
2171 |
private boolean matchPrivateKeyValid(X509Certificate xcert) { |
|
2172 |
if (privateKeyValid == null) { |
|
2173 |
return true; |
|
2174 |
} |
|
2175 |
PrivateKeyUsageExtension ext = null; |
|
2176 |
try { |
|
2177 |
ext = (PrivateKeyUsageExtension) |
|
2178 |
getExtensionObject(xcert, PRIVATE_KEY_USAGE_ID); |
|
2179 |
if (ext != null) { |
|
2180 |
ext.valid(privateKeyValid); |
|
2181 |
} |
|
2182 |
} catch (CertificateExpiredException e1) { |
|
2183 |
if (debug != null) { |
|
2184 |
String time = "n/a"; |
|
2185 |
try { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2186 |
Date notAfter = ext.get(PrivateKeyUsageExtension.NOT_AFTER); |
2 | 2187 |
time = notAfter.toString(); |
2188 |
} catch (CertificateException ex) { |
|
2189 |
// not able to retrieve notAfter value |
|
2190 |
} |
|
2191 |
debug.println("X509CertSelector.match: private key usage not " |
|
2192 |
+ "within validity date; ext.NOT_After: " |
|
2193 |
+ time + "; X509CertSelector: " |
|
2194 |
+ this.toString()); |
|
2195 |
e1.printStackTrace(); |
|
2196 |
} |
|
2197 |
return false; |
|
2198 |
} catch (CertificateNotYetValidException e2) { |
|
2199 |
if (debug != null) { |
|
2200 |
String time = "n/a"; |
|
2201 |
try { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2202 |
Date notBefore = ext.get(PrivateKeyUsageExtension.NOT_BEFORE); |
2 | 2203 |
time = notBefore.toString(); |
2204 |
} catch (CertificateException ex) { |
|
2205 |
// not able to retrieve notBefore value |
|
2206 |
} |
|
2207 |
debug.println("X509CertSelector.match: private key usage not " |
|
2208 |
+ "within validity date; ext.NOT_BEFORE: " |
|
2209 |
+ time + "; X509CertSelector: " |
|
2210 |
+ this.toString()); |
|
2211 |
e2.printStackTrace(); |
|
2212 |
} |
|
2213 |
return false; |
|
2214 |
} catch (IOException e4) { |
|
2215 |
if (debug != null) { |
|
2216 |
debug.println("X509CertSelector.match: IOException in " |
|
2217 |
+ "private key usage check; X509CertSelector: " |
|
2218 |
+ this.toString()); |
|
2219 |
e4.printStackTrace(); |
|
2220 |
} |
|
2221 |
return false; |
|
2222 |
} |
|
2223 |
return true; |
|
2224 |
} |
|
2225 |
||
2226 |
/* match on subject public key algorithm OID */ |
|
2227 |
private boolean matchSubjectPublicKeyAlgID(X509Certificate xcert) { |
|
2228 |
if (subjectPublicKeyAlgID == null) { |
|
2229 |
return true; |
|
2230 |
} |
|
2231 |
try { |
|
2232 |
byte[] encodedKey = xcert.getPublicKey().getEncoded(); |
|
2233 |
DerValue val = new DerValue(encodedKey); |
|
2234 |
if (val.tag != DerValue.tag_Sequence) { |
|
2235 |
throw new IOException("invalid key format"); |
|
2236 |
} |
|
2237 |
||
2238 |
AlgorithmId algID = AlgorithmId.parse(val.data.getDerValue()); |
|
2239 |
if (debug != null) { |
|
2240 |
debug.println("X509CertSelector.match: subjectPublicKeyAlgID = " |
|
2241 |
+ subjectPublicKeyAlgID + ", xcert subjectPublicKeyAlgID = " |
|
2242 |
+ algID.getOID()); |
|
2243 |
} |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30033
diff
changeset
|
2244 |
if (!subjectPublicKeyAlgID.equals(algID.getOID())) { |
2 | 2245 |
if (debug != null) { |
2246 |
debug.println("X509CertSelector.match: " |
|
2247 |
+ "subject public key alg IDs don't match"); |
|
2248 |
} |
|
2249 |
return false; |
|
2250 |
} |
|
2251 |
} catch (IOException e5) { |
|
2252 |
if (debug != null) { |
|
2253 |
debug.println("X509CertSelector.match: IOException in subject " |
|
2254 |
+ "public key algorithm OID check"); |
|
2255 |
} |
|
2256 |
return false; |
|
2257 |
} |
|
2258 |
return true; |
|
2259 |
} |
|
2260 |
||
2261 |
/* match on key usage extension value */ |
|
2262 |
private boolean matchKeyUsage(X509Certificate xcert) { |
|
2263 |
if (keyUsage == null) { |
|
2264 |
return true; |
|
2265 |
} |
|
2266 |
boolean[] certKeyUsage = xcert.getKeyUsage(); |
|
2267 |
if (certKeyUsage != null) { |
|
2268 |
for (int keyBit = 0; keyBit < keyUsage.length; keyBit++) { |
|
2269 |
if (keyUsage[keyBit] && |
|
2270 |
((keyBit >= certKeyUsage.length) || !certKeyUsage[keyBit])) { |
|
2271 |
if (debug != null) { |
|
2272 |
debug.println("X509CertSelector.match: " |
|
2273 |
+ "key usage bits don't match"); |
|
2274 |
} |
|
2275 |
return false; |
|
2276 |
} |
|
2277 |
} |
|
2278 |
} |
|
2279 |
return true; |
|
2280 |
} |
|
2281 |
||
2282 |
/* match on extended key usage purpose OIDs */ |
|
2283 |
private boolean matchExtendedKeyUsage(X509Certificate xcert) { |
|
2284 |
if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) { |
|
2285 |
return true; |
|
2286 |
} |
|
2287 |
try { |
|
2288 |
ExtendedKeyUsageExtension ext = |
|
2289 |
(ExtendedKeyUsageExtension)getExtensionObject(xcert, |
|
2290 |
EXTENDED_KEY_USAGE_ID); |
|
2291 |
if (ext != null) { |
|
2292 |
Vector<ObjectIdentifier> certKeyPurposeVector = |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2293 |
ext.get(ExtendedKeyUsageExtension.USAGES); |
2 | 2294 |
if (!certKeyPurposeVector.contains(ANY_EXTENDED_KEY_USAGE) |
2295 |
&& !certKeyPurposeVector.containsAll(keyPurposeOIDSet)) { |
|
2296 |
if (debug != null) { |
|
2297 |
debug.println("X509CertSelector.match: cert failed " |
|
2298 |
+ "extendedKeyUsage criterion"); |
|
2299 |
} |
|
2300 |
return false; |
|
2301 |
} |
|
2302 |
} |
|
2303 |
} catch (IOException ex) { |
|
2304 |
if (debug != null) { |
|
2305 |
debug.println("X509CertSelector.match: " |
|
2306 |
+ "IOException in extended key usage check"); |
|
2307 |
} |
|
2308 |
return false; |
|
2309 |
} |
|
2310 |
return true; |
|
2311 |
} |
|
2312 |
||
2313 |
/* match on subject alternative name extension names */ |
|
2314 |
private boolean matchSubjectAlternativeNames(X509Certificate xcert) { |
|
2315 |
if ((subjectAlternativeNames == null) || subjectAlternativeNames.isEmpty()) { |
|
2316 |
return true; |
|
2317 |
} |
|
2318 |
try { |
|
2319 |
SubjectAlternativeNameExtension sanExt = |
|
2320 |
(SubjectAlternativeNameExtension) getExtensionObject(xcert, |
|
2321 |
SUBJECT_ALT_NAME_ID); |
|
2322 |
if (sanExt == null) { |
|
2323 |
if (debug != null) { |
|
2324 |
debug.println("X509CertSelector.match: " |
|
2325 |
+ "no subject alternative name extension"); |
|
2326 |
} |
|
2327 |
return false; |
|
2328 |
} |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2329 |
GeneralNames certNames = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2330 |
sanExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME); |
2 | 2331 |
Iterator<GeneralNameInterface> i = |
2332 |
subjectAlternativeGeneralNames.iterator(); |
|
2333 |
while (i.hasNext()) { |
|
2334 |
GeneralNameInterface matchName = i.next(); |
|
2335 |
boolean found = false; |
|
2336 |
for (Iterator<GeneralName> t = certNames.iterator(); |
|
2337 |
t.hasNext() && !found; ) { |
|
2338 |
GeneralNameInterface certName = (t.next()).getName(); |
|
2339 |
found = certName.equals(matchName); |
|
2340 |
} |
|
2341 |
if (!found && (matchAllSubjectAltNames || !i.hasNext())) { |
|
2342 |
if (debug != null) { |
|
2343 |
debug.println("X509CertSelector.match: subject alternative " |
|
2344 |
+ "name " + matchName + " not found"); |
|
2345 |
} |
|
2346 |
return false; |
|
2347 |
} else if (found && !matchAllSubjectAltNames) { |
|
2348 |
break; |
|
2349 |
} |
|
2350 |
} |
|
2351 |
} catch (IOException ex) { |
|
2352 |
if (debug != null) |
|
2353 |
debug.println("X509CertSelector.match: IOException in subject " |
|
2354 |
+ "alternative name check"); |
|
2355 |
return false; |
|
2356 |
} |
|
2357 |
return true; |
|
2358 |
} |
|
2359 |
||
2360 |
/* match on name constraints */ |
|
2361 |
private boolean matchNameConstraints(X509Certificate xcert) { |
|
2362 |
if (nc == null) { |
|
2363 |
return true; |
|
2364 |
} |
|
2365 |
try { |
|
2366 |
if (!nc.verify(xcert)) { |
|
2367 |
if (debug != null) { |
|
2368 |
debug.println("X509CertSelector.match: " |
|
2369 |
+ "name constraints not satisfied"); |
|
2370 |
} |
|
2371 |
return false; |
|
2372 |
} |
|
2373 |
} catch (IOException e) { |
|
2374 |
if (debug != null) { |
|
2375 |
debug.println("X509CertSelector.match: " |
|
2376 |
+ "IOException in name constraints check"); |
|
2377 |
} |
|
2378 |
return false; |
|
2379 |
} |
|
2380 |
return true; |
|
2381 |
} |
|
2382 |
||
2383 |
/* match on policy OIDs */ |
|
2384 |
private boolean matchPolicy(X509Certificate xcert) { |
|
2385 |
if (policy == null) { |
|
2386 |
return true; |
|
2387 |
} |
|
2388 |
try { |
|
2389 |
CertificatePoliciesExtension ext = (CertificatePoliciesExtension) |
|
2390 |
getExtensionObject(xcert, CERT_POLICIES_ID); |
|
2391 |
if (ext == null) { |
|
2392 |
if (debug != null) { |
|
2393 |
debug.println("X509CertSelector.match: " |
|
2394 |
+ "no certificate policy extension"); |
|
2395 |
} |
|
2396 |
return false; |
|
2397 |
} |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2398 |
List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES); |
2 | 2399 |
/* |
2400 |
* Convert the Vector of PolicyInformation to a Vector |
|
2401 |
* of CertificatePolicyIds for easier comparison. |
|
2402 |
*/ |
|
30033
b9c86c17164a
8078468: Update security libraries to use diamond with anonymous classes
darcy
parents:
29264
diff
changeset
|
2403 |
List<CertificatePolicyId> policyIDs = new ArrayList<>(policies.size()); |
2 | 2404 |
for (PolicyInformation info : policies) { |
2405 |
policyIDs.add(info.getPolicyIdentifier()); |
|
2406 |
} |
|
2407 |
if (policy != null) { |
|
2408 |
boolean foundOne = false; |
|
2409 |
/* |
|
2410 |
* if the user passes in an empty policy Set, then |
|
2411 |
* we just want to make sure that the candidate certificate |
|
2412 |
* has some policy OID in its CertPoliciesExtension |
|
2413 |
*/ |
|
2414 |
if (policy.getCertPolicyIds().isEmpty()) { |
|
2415 |
if (policyIDs.isEmpty()) { |
|
2416 |
if (debug != null) { |
|
2417 |
debug.println("X509CertSelector.match: " |
|
2418 |
+ "cert failed policyAny criterion"); |
|
2419 |
} |
|
2420 |
return false; |
|
2421 |
} |
|
2422 |
} else { |
|
2423 |
for (CertificatePolicyId id : policy.getCertPolicyIds()) { |
|
2424 |
if (policyIDs.contains(id)) { |
|
2425 |
foundOne = true; |
|
2426 |
break; |
|
2427 |
} |
|
2428 |
} |
|
2429 |
if (!foundOne) { |
|
2430 |
if (debug != null) { |
|
2431 |
debug.println("X509CertSelector.match: " |
|
2432 |
+ "cert failed policyAny criterion"); |
|
2433 |
} |
|
2434 |
return false; |
|
2435 |
} |
|
2436 |
} |
|
2437 |
} |
|
2438 |
} catch (IOException ex) { |
|
2439 |
if (debug != null) { |
|
2440 |
debug.println("X509CertSelector.match: " |
|
2441 |
+ "IOException in certificate policy ID check"); |
|
2442 |
} |
|
2443 |
return false; |
|
2444 |
} |
|
2445 |
return true; |
|
2446 |
} |
|
2447 |
||
2448 |
/* match on pathToNames */ |
|
2449 |
private boolean matchPathToNames(X509Certificate xcert) { |
|
2450 |
if (pathToGeneralNames == null) { |
|
2451 |
return true; |
|
2452 |
} |
|
2453 |
try { |
|
2454 |
NameConstraintsExtension ext = (NameConstraintsExtension) |
|
2455 |
getExtensionObject(xcert, NAME_CONSTRAINTS_ID); |
|
2456 |
if (ext == null) { |
|
2457 |
return true; |
|
2458 |
} |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2459 |
if ((debug != null) && Debug.isOn("certpath")) { |
2 | 2460 |
debug.println("X509CertSelector.match pathToNames:\n"); |
2461 |
Iterator<GeneralNameInterface> i = |
|
2462 |
pathToGeneralNames.iterator(); |
|
2463 |
while (i.hasNext()) { |
|
2464 |
debug.println(" " + i.next() + "\n"); |
|
2465 |
} |
|
2466 |
} |
|
2467 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2468 |
GeneralSubtrees permitted = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2469 |
ext.get(NameConstraintsExtension.PERMITTED_SUBTREES); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2470 |
GeneralSubtrees excluded = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2471 |
ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES); |
2 | 2472 |
if (excluded != null) { |
2473 |
if (matchExcluded(excluded) == false) { |
|
2474 |
return false; |
|
2475 |
} |
|
2476 |
} |
|
2477 |
if (permitted != null) { |
|
2478 |
if (matchPermitted(permitted) == false) { |
|
2479 |
return false; |
|
2480 |
} |
|
2481 |
} |
|
2482 |
} catch (IOException ex) { |
|
2483 |
if (debug != null) { |
|
2484 |
debug.println("X509CertSelector.match: " |
|
2485 |
+ "IOException in name constraints check"); |
|
2486 |
} |
|
2487 |
return false; |
|
2488 |
} |
|
2489 |
return true; |
|
2490 |
} |
|
2491 |
||
2492 |
private boolean matchExcluded(GeneralSubtrees excluded) { |
|
2493 |
/* |
|
2494 |
* Enumerate through excluded and compare each entry |
|
2495 |
* to all pathToNames. If any pathToName is within any of the |
|
2496 |
* subtrees listed in excluded, return false. |
|
2497 |
*/ |
|
2498 |
for (Iterator<GeneralSubtree> t = excluded.iterator(); t.hasNext(); ) { |
|
2499 |
GeneralSubtree tree = t.next(); |
|
2500 |
GeneralNameInterface excludedName = tree.getName().getName(); |
|
2501 |
Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator(); |
|
2502 |
while (i.hasNext()) { |
|
2503 |
GeneralNameInterface pathToName = i.next(); |
|
2504 |
if (excludedName.getType() == pathToName.getType()) { |
|
2505 |
switch (pathToName.constrains(excludedName)) { |
|
2506 |
case GeneralNameInterface.NAME_WIDENS: |
|
2507 |
case GeneralNameInterface.NAME_MATCH: |
|
2508 |
if (debug != null) { |
|
2509 |
debug.println("X509CertSelector.match: name constraints " |
|
2510 |
+ "inhibit path to specified name"); |
|
2511 |
debug.println("X509CertSelector.match: excluded name: " + |
|
2512 |
pathToName); |
|
2513 |
} |
|
2514 |
return false; |
|
2515 |
default: |
|
2516 |
} |
|
2517 |
} |
|
2518 |
} |
|
2519 |
} |
|
2520 |
return true; |
|
2521 |
} |
|
2522 |
||
2523 |
private boolean matchPermitted(GeneralSubtrees permitted) { |
|
2524 |
/* |
|
2525 |
* Enumerate through pathToNames, checking that each pathToName |
|
2526 |
* is in at least one of the subtrees listed in permitted. |
|
2527 |
* If not, return false. However, if no subtrees of a given type |
|
2528 |
* are listed, all names of that type are permitted. |
|
2529 |
*/ |
|
2530 |
Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator(); |
|
2531 |
while (i.hasNext()) { |
|
2532 |
GeneralNameInterface pathToName = i.next(); |
|
2533 |
Iterator<GeneralSubtree> t = permitted.iterator(); |
|
2534 |
boolean permittedNameFound = false; |
|
2535 |
boolean nameTypeFound = false; |
|
2536 |
String names = ""; |
|
2537 |
while (t.hasNext() && !permittedNameFound) { |
|
2538 |
GeneralSubtree tree = t.next(); |
|
2539 |
GeneralNameInterface permittedName = tree.getName().getName(); |
|
2540 |
if (permittedName.getType() == pathToName.getType()) { |
|
2541 |
nameTypeFound = true; |
|
2542 |
names = names + " " + permittedName; |
|
2543 |
switch (pathToName.constrains(permittedName)) { |
|
2544 |
case GeneralNameInterface.NAME_WIDENS: |
|
2545 |
case GeneralNameInterface.NAME_MATCH: |
|
2546 |
permittedNameFound = true; |
|
2547 |
break; |
|
2548 |
default: |
|
2549 |
} |
|
2550 |
} |
|
2551 |
} |
|
2552 |
if (!permittedNameFound && nameTypeFound) { |
|
2553 |
if (debug != null) |
|
2554 |
debug.println("X509CertSelector.match: " + |
|
2555 |
"name constraints inhibit path to specified name; " + |
|
2556 |
"permitted names of type " + pathToName.getType() + |
|
2557 |
": " + names); |
|
2558 |
return false; |
|
2559 |
} |
|
2560 |
} |
|
2561 |
return true; |
|
2562 |
} |
|
2563 |
||
2564 |
/* match on basic constraints */ |
|
2565 |
private boolean matchBasicConstraints(X509Certificate xcert) { |
|
2566 |
if (basicConstraints == -1) { |
|
2567 |
return true; |
|
2568 |
} |
|
2569 |
int maxPathLen = xcert.getBasicConstraints(); |
|
2570 |
if (basicConstraints == -2) { |
|
2571 |
if (maxPathLen != -1) { |
|
2572 |
if (debug != null) { |
|
2573 |
debug.println("X509CertSelector.match: not an EE cert"); |
|
2574 |
} |
|
2575 |
return false; |
|
2576 |
} |
|
2577 |
} else { |
|
2578 |
if (maxPathLen < basicConstraints) { |
|
2579 |
if (debug != null) { |
|
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
2580 |
debug.println("X509CertSelector.match: cert's maxPathLen " + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
2581 |
"is less than the min maxPathLen set by " + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
2582 |
"basicConstraints. " + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
2583 |
"(" + maxPathLen + " < " + basicConstraints + ")"); |
2 | 2584 |
} |
2585 |
return false; |
|
2586 |
} |
|
2587 |
} |
|
2588 |
return true; |
|
2589 |
} |
|
2590 |
||
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2591 |
@SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2592 |
private static <T> Set<T> cloneSet(Set<T> set) { |
2 | 2593 |
if (set instanceof HashSet) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2594 |
Object clone = ((HashSet<T>)set).clone(); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2595 |
return (Set<T>)clone; |
2 | 2596 |
} else { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2597 |
return new HashSet<T>(set); |
2 | 2598 |
} |
2599 |
} |
|
2600 |
||
2601 |
/** |
|
2602 |
* Returns a copy of this object. |
|
2603 |
* |
|
2604 |
* @return the copy |
|
2605 |
*/ |
|
2606 |
public Object clone() { |
|
2607 |
try { |
|
2608 |
X509CertSelector copy = (X509CertSelector)super.clone(); |
|
2609 |
// Must clone these because addPathToName et al. modify them |
|
2610 |
if (subjectAlternativeNames != null) { |
|
2611 |
copy.subjectAlternativeNames = |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2612 |
cloneSet(subjectAlternativeNames); |
2 | 2613 |
copy.subjectAlternativeGeneralNames = |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2614 |
cloneSet(subjectAlternativeGeneralNames); |
2 | 2615 |
} |
2616 |
if (pathToGeneralNames != null) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2617 |
copy.pathToNames = cloneSet(pathToNames); |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
2618 |
copy.pathToGeneralNames = cloneSet(pathToGeneralNames); |
2 | 2619 |
} |
2620 |
return copy; |
|
2621 |
} catch (CloneNotSupportedException e) { |
|
2622 |
/* Cannot happen */ |
|
10419
12c063b39232
7084245: Update usages of InternalError to use exception chaining
sherman
parents:
10336
diff
changeset
|
2623 |
throw new InternalError(e.toString(), e); |
2 | 2624 |
} |
2625 |
} |
|
2626 |
} |