src/java.base/share/classes/sun/security/x509/X509CertImpl.java
author wetmore
Fri, 11 May 2018 15:53:12 -0700
branchJDK-8145252-TLS13-branch
changeset 56542 56aaa6cb3693
parent 47478 438e0c9f2f17
child 53018 8bf9268df0e2
permissions -rw-r--r--
Initial TLSv1.3 Implementation
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
/*
44476
e275cd2f9319 8175029: StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider)
mullan
parents: 37726
diff changeset
     2
 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
 * This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
 * under the terms of the GNU General Public License version 2 only, as
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     7
 * published by the Free Software Foundation.  Oracle designates this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
 * particular file as subject to the "Classpath" exception as provided
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     9
 * by Oracle in the LICENSE file that accompanied this code.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
 * This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
 * version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
 * accompanied this code).
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
 * You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
 * 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
 *
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    22
 * or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    23
 * questions.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
 */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
package sun.security.x509;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
import java.io.BufferedReader;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
import java.io.BufferedInputStream;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
import java.io.ByteArrayOutputStream;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
import java.io.IOException;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
import java.io.InputStream;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
import java.io.InputStreamReader;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
import java.io.OutputStream;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
import java.math.BigInteger;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    36
import java.security.*;
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
    37
import java.security.spec.AlgorithmParameterSpec;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    38
import java.security.cert.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
import java.security.cert.Certificate;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
import java.util.*;
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
    41
import java.util.concurrent.ConcurrentHashMap;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
import javax.security.auth.x500.X500Principal;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
16020
b57c48f16179 8006182: cleanup to use java.util.Base64 in java security component, providers, and regression tests
msheppar
parents: 14421
diff changeset
    45
import java.util.Base64;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
import sun.security.util.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
import sun.security.provider.X509Factory;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    48
90ce3da70b43 Initial load
duke
parents:
diff changeset
    49
/**
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
 * The X509CertImpl class represents an X.509 certificate. These certificates
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
 * are widely used to support authentication and other functionality in
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
 * Internet security systems.  Common applications include Privacy Enhanced
90ce3da70b43 Initial load
duke
parents:
diff changeset
    53
 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
    54
 * software distribution, and Secure Electronic Transactions (SET).  There
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
 * is a commercial infrastructure ready to manage large scale deployments
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
 * of X.509 identity certificates.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
 * <P>These certificates are managed and vouched for by <em>Certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
 * Authorities</em> (CAs).  CAs are services which create certificates by
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
 * placing data in the X.509 standard format and then digitally signing
90ce3da70b43 Initial load
duke
parents:
diff changeset
    61
 * that data.  Such signatures are quite difficult to forge.  CAs act as
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
 * trusted third parties, making introductions between agents who have no
90ce3da70b43 Initial load
duke
parents:
diff changeset
    63
 * direct knowledge of each other.  CA certificates are either signed by
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
 * themselves, or by some other CA such as a "root" CA.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
 * <P>RFC 1422 is very informative, though it does not describe much
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
 * of the recent work being done with X.509 certificates.  That includes
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
 * a 1996 version (X.509v3) and a variety of enhancements being made to
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
 * facilitate an explosion of personal certificates used as "Internet
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
 * Drivers' Licences", or with SET for credit card transactions.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    72
 * <P>More recent work includes the IETF PKIX Working Group efforts,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    73
 * especially RFC2459.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
 * @author Dave Brownell
90ce3da70b43 Initial load
duke
parents:
diff changeset
    76
 * @author Amit Kapoor
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
 * @author Hemma Prafullchandra
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
 * @see X509CertInfo
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
 */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
public class X509CertImpl extends X509Certificate implements DerEncoder {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
    private static final long serialVersionUID = -3457612960190864406L;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
    84
    private static final char DOT = '.';
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
     * Public attribute names.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
    public static final String NAME = "x509";
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
    public static final String INFO = X509CertInfo.NAME;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
    public static final String ALG_ID = "algorithm";
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
    public static final String SIGNATURE = "signature";
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
    public static final String SIGNED_CERT = "signed_cert";
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
     * The following are defined for ease-of-use. These
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
     * are the most frequently retrieved attributes.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    97
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    98
    // x509.info.subject.dname
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
    public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   100
                               X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
    // x509.info.issuer.dname
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
    public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   103
                               X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
    // x509.info.serialNumber.number
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
    public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
                               X509CertInfo.SERIAL_NUMBER + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
                               CertificateSerialNumber.NUMBER;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
    // x509.info.key.value
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
    public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
                               X509CertInfo.KEY + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
                               CertificateX509Key.KEY;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   112
90ce3da70b43 Initial load
duke
parents:
diff changeset
   113
    // x509.info.version.value
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
    public static final String VERSION = NAME + DOT + INFO + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
                               X509CertInfo.VERSION + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   116
                               CertificateVersion.VERSION;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   117
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
    // x509.algorithm
90ce3da70b43 Initial load
duke
parents:
diff changeset
   119
    public static final String SIG_ALG = NAME + DOT + ALG_ID;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
    // x509.signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
    public static final String SIG = NAME + DOT + SIGNATURE;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
    // when we sign and decode we set this to true
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
    // this is our means to make certificates immutable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   126
    private boolean readOnly = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   127
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
    // Certificate data, and its envelope
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
    private byte[]              signedCert = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
    protected X509CertInfo      info = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
    protected AlgorithmId       algId = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
    protected byte[]            signature = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   133
90ce3da70b43 Initial load
duke
parents:
diff changeset
   134
    // recognized extension OIDS
90ce3da70b43 Initial load
duke
parents:
diff changeset
   135
    private static final String KEY_USAGE_OID = "2.5.29.15";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   136
    private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   137
    private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   138
    private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
    private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
    private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
    // number of standard key usage bits.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
    private static final int NUM_STANDARD_KEY_USAGE = 9;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
    // SubjectAlterntativeNames cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
    private Collection<List<?>> subjectAlternativeNames;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   147
90ce3da70b43 Initial load
duke
parents:
diff changeset
   148
    // IssuerAlternativeNames cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
    private Collection<List<?>> issuerAlternativeNames;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
90ce3da70b43 Initial load
duke
parents:
diff changeset
   151
    // ExtendedKeyUsage cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
    private List<String> extKeyUsage;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
90ce3da70b43 Initial load
duke
parents:
diff changeset
   154
    // AuthorityInformationAccess cache
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
    private Set<AccessDescription> authInfoAccess;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
90ce3da70b43 Initial load
duke
parents:
diff changeset
   157
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   158
     * PublicKey that has previously been used to verify
90ce3da70b43 Initial load
duke
parents:
diff changeset
   159
     * the signature of this certificate. Null if the certificate has not
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
     * yet been verified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   161
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   162
    private PublicKey verifiedPublicKey;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   163
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   164
     * If verifiedPublicKey is not null, name of the provider used to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
     * successfully verify the signature of this certificate, or the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   166
     * empty String if no provider was explicitly specified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
    private String verifiedProvider;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   169
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   170
     * If verifiedPublicKey is not null, result of the verification using
90ce3da70b43 Initial load
duke
parents:
diff changeset
   171
     * verifiedPublicKey and verifiedProvider. If true, verification was
90ce3da70b43 Initial load
duke
parents:
diff changeset
   172
     * successful, if false, it failed.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   173
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   174
    private boolean verificationResult;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   177
     * Default constructor.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
    public X509CertImpl() { }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
90ce3da70b43 Initial load
duke
parents:
diff changeset
   181
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   182
     * Unmarshals a certificate from its encoded form, parsing the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
     * encoded bytes.  This form of constructor is used by agents which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   184
     * need to examine and use certificate contents.  That is, this is
90ce3da70b43 Initial load
duke
parents:
diff changeset
   185
     * one of the more commonly used constructors.  Note that the buffer
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
     * must include only a certificate, and no "garbage" may be left at
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
     * the end.  If you need to ignore data at the end of a certificate,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   188
     * use another constructor.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   189
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   190
     * @param certData the encoded bytes, with no trailing padding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   191
     * @exception CertificateException on parsing and initialization errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   192
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   193
    public X509CertImpl(byte[] certData) throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   194
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   195
            parse(new DerValue(certData));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   196
        } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   197
            signedCert = null;
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   198
            throw new CertificateException("Unable to initialize, " + e, e);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   199
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   200
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   201
90ce3da70b43 Initial load
duke
parents:
diff changeset
   202
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   203
     * unmarshals an X.509 certificate from an input stream.  If the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
     * certificate is RFC1421 hex-encoded, then it must begin with
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
     * the line X509Factory.BEGIN_CERT and end with the line
90ce3da70b43 Initial load
duke
parents:
diff changeset
   206
     * X509Factory.END_CERT.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   208
     * @param in an input stream holding at least one certificate that may
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
     *        be either DER-encoded or RFC1421 hex-encoded version of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
     *        DER-encoded certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   211
     * @exception CertificateException on parsing and initialization errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   212
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
    public X509CertImpl(InputStream in) throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
        DerValue der = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
90ce3da70b43 Initial load
duke
parents:
diff changeset
   217
        BufferedInputStream inBuffered = new BufferedInputStream(in);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   218
90ce3da70b43 Initial load
duke
parents:
diff changeset
   219
        // First try reading stream as HEX-encoded DER-encoded bytes,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   220
        // since not mistakable for raw DER
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
            inBuffered.mark(Integer.MAX_VALUE);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
            der = readRFC1421Cert(inBuffered);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   224
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
                // Next, try reading stream as raw DER-encoded bytes
90ce3da70b43 Initial load
duke
parents:
diff changeset
   227
                inBuffered.reset();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   228
                der = new DerValue(inBuffered);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   229
            } catch (IOException ioe1) {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   230
                throw new CertificateException("Input stream must be " +
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   231
                                               "either DER-encoded bytes " +
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   232
                                               "or RFC1421 hex-encoded " +
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   233
                                               "DER-encoded bytes: " +
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   234
                                               ioe1.getMessage(), ioe1);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   235
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   236
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   237
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   238
            parse(der);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
            signedCert = null;
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   241
            throw new CertificateException("Unable to parse DER value of " +
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   242
                                           "certificate, " + ioe, ioe);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   243
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   245
90ce3da70b43 Initial load
duke
parents:
diff changeset
   246
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   247
     * read input stream as HEX-encoded DER-encoded bytes
90ce3da70b43 Initial load
duke
parents:
diff changeset
   248
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   249
     * @param in InputStream to read
30374
2abaf49910ea 8079478: some docs cleanup for sun.security
avstepan
parents: 29596
diff changeset
   250
     * @return DerValue corresponding to decoded HEX-encoded bytes
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   251
     * @throws IOException if stream can not be interpreted as RFC1421
90ce3da70b43 Initial load
duke
parents:
diff changeset
   252
     *                     encoded bytes
90ce3da70b43 Initial load
duke
parents:
diff changeset
   253
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
    private DerValue readRFC1421Cert(InputStream in) throws IOException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
        DerValue der = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
        String line = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   257
        BufferedReader certBufferedReader =
90ce3da70b43 Initial load
duke
parents:
diff changeset
   258
            new BufferedReader(new InputStreamReader(in, "ASCII"));
90ce3da70b43 Initial load
duke
parents:
diff changeset
   259
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   260
            line = certBufferedReader.readLine();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   261
        } catch (IOException ioe1) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   262
            throw new IOException("Unable to read InputStream: " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   263
                                  ioe1.getMessage());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   264
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   265
        if (line.equals(X509Factory.BEGIN_CERT)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   266
            /* stream appears to be hex-encoded bytes */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   267
            ByteArrayOutputStream decstream = new ByteArrayOutputStream();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   268
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   269
                while ((line = certBufferedReader.readLine()) != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   270
                    if (line.equals(X509Factory.END_CERT)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   271
                        der = new DerValue(decstream.toByteArray());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   272
                        break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   273
                    } else {
29596
70399c7a7f5a 8074935: jdk8 keytool doesn't validate pem files for RFC 1421 correctness, as jdk7 did
weijun
parents: 25859
diff changeset
   274
                        decstream.write(Pem.decode(line));
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   275
                    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   276
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   277
            } catch (IOException ioe2) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   278
                throw new IOException("Unable to read InputStream: "
90ce3da70b43 Initial load
duke
parents:
diff changeset
   279
                                      + ioe2.getMessage());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   280
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   281
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   282
            throw new IOException("InputStream is not RFC1421 hex-encoded " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   283
                                  "DER bytes");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   284
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   285
        return der;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   286
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   287
90ce3da70b43 Initial load
duke
parents:
diff changeset
   288
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   289
     * Construct an initialized X509 Certificate. The certificate is stored
90ce3da70b43 Initial load
duke
parents:
diff changeset
   290
     * in raw form and has to be signed to be useful.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   291
     *
30374
2abaf49910ea 8079478: some docs cleanup for sun.security
avstepan
parents: 29596
diff changeset
   292
     * @param certInfo the X509CertificateInfo which the Certificate is to be
2abaf49910ea 8079478: some docs cleanup for sun.security
avstepan
parents: 29596
diff changeset
   293
     *             created from.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   294
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   295
    public X509CertImpl(X509CertInfo certInfo) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   296
        this.info = certInfo;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   297
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   298
90ce3da70b43 Initial load
duke
parents:
diff changeset
   299
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   300
     * Unmarshal a certificate from its encoded form, parsing a DER value.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   301
     * This form of constructor is used by agents which need to examine
90ce3da70b43 Initial load
duke
parents:
diff changeset
   302
     * and use certificate contents.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   303
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   304
     * @param derVal the der value containing the encoded cert.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   305
     * @exception CertificateException on parsing and initialization errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   306
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   307
    public X509CertImpl(DerValue derVal) throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   308
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   309
            parse(derVal);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   310
        } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   311
            signedCert = null;
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
   312
            throw new CertificateException("Unable to initialize, " + e, e);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   313
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   314
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   315
90ce3da70b43 Initial load
duke
parents:
diff changeset
   316
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   317
     * Appends the certificate to an output stream.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   318
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   319
     * @param out an input stream to which the certificate is appended.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   320
     * @exception CertificateEncodingException on encoding errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   321
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   322
    public void encode(OutputStream out)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   323
    throws CertificateEncodingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   324
        if (signedCert == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   325
            throw new CertificateEncodingException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
   326
                          "Null certificate to encode");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   327
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   328
            out.write(signedCert.clone());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   329
        } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   330
            throw new CertificateEncodingException(e.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   331
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   332
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   333
90ce3da70b43 Initial load
duke
parents:
diff changeset
   334
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   335
     * DER encode this object onto an output stream.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   336
     * Implements the <code>DerEncoder</code> interface.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   337
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   338
     * @param out the output stream on which to write the DER encoding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   339
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   340
     * @exception IOException on encoding error.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   341
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   342
    public void derEncode(OutputStream out) throws IOException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   343
        if (signedCert == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   344
            throw new IOException("Null certificate to encode");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   345
        out.write(signedCert.clone());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   346
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   347
90ce3da70b43 Initial load
duke
parents:
diff changeset
   348
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   349
     * Returns the encoded form of this certificate. It is
90ce3da70b43 Initial load
duke
parents:
diff changeset
   350
     * assumed that each certificate type would have only a single
90ce3da70b43 Initial load
duke
parents:
diff changeset
   351
     * form of encoding; for example, X.509 certificates would
90ce3da70b43 Initial load
duke
parents:
diff changeset
   352
     * be encoded as ASN.1 DER.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   353
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   354
     * @exception CertificateEncodingException if an encoding error occurs.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   355
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   356
    public byte[] getEncoded() throws CertificateEncodingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   357
        return getEncodedInternal().clone();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   358
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   359
90ce3da70b43 Initial load
duke
parents:
diff changeset
   360
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   361
     * Returned the encoding as an uncloned byte array. Callers must
90ce3da70b43 Initial load
duke
parents:
diff changeset
   362
     * guarantee that they neither modify it nor expose it to untrusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   363
     * code.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   364
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   365
    public byte[] getEncodedInternal() throws CertificateEncodingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   366
        if (signedCert == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   367
            throw new CertificateEncodingException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
   368
                          "Null certificate to encode");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   369
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   370
        return signedCert;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   371
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   372
90ce3da70b43 Initial load
duke
parents:
diff changeset
   373
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   374
     * Throws an exception if the certificate was not signed using the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   375
     * verification key provided.  Successfully verifying a certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   376
     * does <em>not</em> indicate that one should trust the entity which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   377
     * it represents.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   378
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   379
     * @param key the public key used for verification.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   380
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   381
     * @exception InvalidKeyException on incorrect key.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   382
     * @exception NoSuchAlgorithmException on unsupported signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
   383
     * algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   384
     * @exception NoSuchProviderException if there's no default provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   385
     * @exception SignatureException on signature errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   386
     * @exception CertificateException on encoding errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   387
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   388
    public void verify(PublicKey key)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   389
    throws CertificateException, NoSuchAlgorithmException,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   390
        InvalidKeyException, NoSuchProviderException, SignatureException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   391
        verify(key, "");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   392
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   393
90ce3da70b43 Initial load
duke
parents:
diff changeset
   394
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   395
     * Throws an exception if the certificate was not signed using the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   396
     * verification key provided.  Successfully verifying a certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   397
     * does <em>not</em> indicate that one should trust the entity which
90ce3da70b43 Initial load
duke
parents:
diff changeset
   398
     * it represents.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   399
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   400
     * @param key the public key used for verification.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   401
     * @param sigProvider the name of the provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   402
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   403
     * @exception NoSuchAlgorithmException on unsupported signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
   404
     * algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   405
     * @exception InvalidKeyException on incorrect key.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   406
     * @exception NoSuchProviderException on incorrect provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   407
     * @exception SignatureException on signature errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   408
     * @exception CertificateException on encoding errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   409
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   410
    public synchronized void verify(PublicKey key, String sigProvider)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   411
            throws CertificateException, NoSuchAlgorithmException,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   412
            InvalidKeyException, NoSuchProviderException, SignatureException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   413
        if (sigProvider == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   414
            sigProvider = "";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   415
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   416
        if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   417
            // this certificate has already been verified using
90ce3da70b43 Initial load
duke
parents:
diff changeset
   418
            // this public key. Make sure providers match, too.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   419
            if (sigProvider.equals(verifiedProvider)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   420
                if (verificationResult) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   421
                    return;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   422
                } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   423
                    throw new SignatureException("Signature does not match.");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   424
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   425
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   426
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   427
        if (signedCert == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   428
            throw new CertificateEncodingException("Uninitialized certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   429
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   430
        // Verify the signature ...
90ce3da70b43 Initial load
duke
parents:
diff changeset
   431
        Signature sigVerf = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   432
        if (sigProvider.length() == 0) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   433
            sigVerf = Signature.getInstance(algId.getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   434
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   435
            sigVerf = Signature.getInstance(algId.getName(), sigProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   436
        }
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   437
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   438
        sigVerf.initVerify(key);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   439
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   440
        // set parameters after Signature.initSign/initVerify call,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   441
        // so the deferred provider selection happens when key is set
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   442
        try {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   443
            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   444
        } catch (ProviderException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   445
            throw new CertificateException(e.getMessage(), e.getCause());
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   446
        } catch (InvalidAlgorithmParameterException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   447
            throw new CertificateException(e);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   448
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   449
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   450
        byte[] rawCert = info.getEncodedInfo();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   451
        sigVerf.update(rawCert, 0, rawCert.length);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   452
90ce3da70b43 Initial load
duke
parents:
diff changeset
   453
        // verify may throw SignatureException for invalid encodings, etc.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   454
        verificationResult = sigVerf.verify(signature);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   455
        verifiedPublicKey = key;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   456
        verifiedProvider = sigProvider;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   457
90ce3da70b43 Initial load
duke
parents:
diff changeset
   458
        if (verificationResult == false) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   459
            throw new SignatureException("Signature does not match.");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   460
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   461
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   462
90ce3da70b43 Initial load
duke
parents:
diff changeset
   463
    /**
13406
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   464
     * Throws an exception if the certificate was not signed using the
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   465
     * verification key provided.  This method uses the signature verification
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   466
     * engine supplied by the specified provider. Note that the specified
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   467
     * Provider object does not have to be registered in the provider list.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   468
     * Successfully verifying a certificate does <em>not</em> indicate that one
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   469
     * should trust the entity which it represents.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   470
     *
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   471
     * @param key the public key used for verification.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   472
     * @param sigProvider the provider.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   473
     *
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   474
     * @exception NoSuchAlgorithmException on unsupported signature
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   475
     * algorithms.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   476
     * @exception InvalidKeyException on incorrect key.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   477
     * @exception SignatureException on signature errors.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   478
     * @exception CertificateException on encoding errors.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   479
     */
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   480
    public synchronized void verify(PublicKey key, Provider sigProvider)
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   481
            throws CertificateException, NoSuchAlgorithmException,
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   482
            InvalidKeyException, SignatureException {
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   483
        if (signedCert == null) {
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   484
            throw new CertificateEncodingException("Uninitialized certificate");
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   485
        }
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   486
        // Verify the signature ...
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   487
        Signature sigVerf = null;
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   488
        if (sigProvider == null) {
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   489
            sigVerf = Signature.getInstance(algId.getName());
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   490
        } else {
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   491
            sigVerf = Signature.getInstance(algId.getName(), sigProvider);
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   492
        }
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   493
13406
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   494
        sigVerf.initVerify(key);
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   495
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   496
        // set parameters after Signature.initSign/initVerify call,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   497
        // so the deferred provider selection happens when key is set
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   498
        try {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   499
            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   500
        } catch (ProviderException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   501
            throw new CertificateException(e.getMessage(), e.getCause());
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   502
        } catch (InvalidAlgorithmParameterException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   503
            throw new CertificateException(e);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   504
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   505
13406
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   506
        byte[] rawCert = info.getEncodedInfo();
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   507
        sigVerf.update(rawCert, 0, rawCert.length);
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   508
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   509
        // verify may throw SignatureException for invalid encodings, etc.
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   510
        verificationResult = sigVerf.verify(signature);
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   511
        verifiedPublicKey = key;
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   512
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   513
        if (verificationResult == false) {
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   514
            throw new SignatureException("Signature does not match.");
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   515
        }
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   516
    }
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   517
33d7bf574b42 7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
mullan
parents: 13040
diff changeset
   518
    /**
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   519
     * Creates an X.509 certificate, and signs it using the given key
90ce3da70b43 Initial load
duke
parents:
diff changeset
   520
     * (associating a signature algorithm and an X.500 name).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   521
     * This operation is used to implement the certificate generation
90ce3da70b43 Initial load
duke
parents:
diff changeset
   522
     * functionality of a certificate authority.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   523
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   524
     * @param key the private key used for signing.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   525
     * @param algorithm the name of the signature algorithm used.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   526
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   527
     * @exception InvalidKeyException on incorrect key.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   528
     * @exception NoSuchAlgorithmException on unsupported signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
   529
     * algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   530
     * @exception NoSuchProviderException if there's no default provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   531
     * @exception SignatureException on signature errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   532
     * @exception CertificateException on encoding errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   533
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   534
    public void sign(PrivateKey key, String algorithm)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   535
    throws CertificateException, NoSuchAlgorithmException,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   536
        InvalidKeyException, NoSuchProviderException, SignatureException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   537
        sign(key, algorithm, null);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   538
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   539
90ce3da70b43 Initial load
duke
parents:
diff changeset
   540
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   541
     * Creates an X.509 certificate, and signs it using the given key
90ce3da70b43 Initial load
duke
parents:
diff changeset
   542
     * (associating a signature algorithm and an X.500 name).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   543
     * This operation is used to implement the certificate generation
90ce3da70b43 Initial load
duke
parents:
diff changeset
   544
     * functionality of a certificate authority.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   545
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   546
     * @param key the private key used for signing.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   547
     * @param algorithm the name of the signature algorithm used.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   548
     * @param provider the name of the provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   549
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   550
     * @exception NoSuchAlgorithmException on unsupported signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
   551
     * algorithms.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   552
     * @exception InvalidKeyException on incorrect key.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   553
     * @exception NoSuchProviderException on incorrect provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   554
     * @exception SignatureException on signature errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   555
     * @exception CertificateException on encoding errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   556
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   557
    public void sign(PrivateKey key, String algorithm, String provider)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   558
    throws CertificateException, NoSuchAlgorithmException,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   559
        InvalidKeyException, NoSuchProviderException, SignatureException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   560
        try {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   561
            sign(key, null, algorithm, provider);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   562
        } catch (InvalidAlgorithmParameterException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   563
            // should not happen; re-throw just in case
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   564
            throw new SignatureException(e);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   565
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   566
    }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   567
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   568
    /**
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   569
     * Creates an X.509 certificate, and signs it using the given key
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   570
     * (associating a signature algorithm and an X.500 name), signature
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   571
     * parameters, and security provider. If the given provider name
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   572
     * is null or empty, the implementation look up will be based on
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   573
     * provider configurations.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   574
     * This operation is used to implement the certificate generation
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   575
     * functionality of a certificate authority.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   576
     *
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   577
     * @param key the private key used for signing
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   578
     * @param signingParams the parameters used for signing
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   579
     * @param algorithm the name of the signature algorithm used
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   580
     * @param provider the name of the provider, may be null
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   581
     *
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   582
     * @exception NoSuchAlgorithmException on unsupported signature
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   583
     *            algorithms
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   584
     * @exception InvalidKeyException on incorrect key
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   585
     * @exception InvalidAlgorithmParameterException on invalid signature
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   586
     *            parameters
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   587
     * @exception NoSuchProviderException on incorrect provider
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   588
     * @exception SignatureException on signature errors
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   589
     * @exception CertificateException on encoding errors
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   590
     */
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   591
    public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   592
            String algorithm, String provider)
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   593
            throws CertificateException, NoSuchAlgorithmException,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   594
            InvalidKeyException, InvalidAlgorithmParameterException,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   595
            NoSuchProviderException, SignatureException {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   596
        try {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   597
            if (readOnly)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   598
                throw new CertificateEncodingException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
   599
                              "cannot over-write existing certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   600
            Signature sigEngine = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   601
            if ((provider == null) || (provider.length() == 0))
90ce3da70b43 Initial load
duke
parents:
diff changeset
   602
                sigEngine = Signature.getInstance(algorithm);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   603
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
   604
                sigEngine = Signature.getInstance(algorithm, provider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   605
90ce3da70b43 Initial load
duke
parents:
diff changeset
   606
            sigEngine.initSign(key);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   607
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   608
            // set parameters after Signature.initSign/initVerify call, so
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   609
            // the deferred provider selection happens when the key is set
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   610
            try {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   611
                sigEngine.setParameter(signingParams);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   612
            } catch (UnsupportedOperationException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   613
                // for backward compatibility, only re-throw when
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   614
                // parameters is not null
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   615
                if (signingParams != null) throw e;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   616
            }
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   617
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   618
            // in case the name is reset
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   619
            if (signingParams != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   620
                algId = AlgorithmId.get(sigEngine.getParameters());
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   621
            } else {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   622
                algId = AlgorithmId.get(algorithm);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47478
diff changeset
   623
            }
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   624
            DerOutputStream out = new DerOutputStream();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   625
            DerOutputStream tmp = new DerOutputStream();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   626
90ce3da70b43 Initial load
duke
parents:
diff changeset
   627
            // encode certificate info
90ce3da70b43 Initial load
duke
parents:
diff changeset
   628
            info.encode(tmp);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   629
            byte[] rawCert = tmp.toByteArray();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   630
90ce3da70b43 Initial load
duke
parents:
diff changeset
   631
            // encode algorithm identifier
90ce3da70b43 Initial load
duke
parents:
diff changeset
   632
            algId.encode(tmp);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   633
90ce3da70b43 Initial load
duke
parents:
diff changeset
   634
            // Create and encode the signature itself.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   635
            sigEngine.update(rawCert, 0, rawCert.length);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   636
            signature = sigEngine.sign();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   637
            tmp.putBitString(signature);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   638
90ce3da70b43 Initial load
duke
parents:
diff changeset
   639
            // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   640
            out.write(DerValue.tag_Sequence, tmp);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   641
            signedCert = out.toByteArray();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   642
            readOnly = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   643
90ce3da70b43 Initial load
duke
parents:
diff changeset
   644
        } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   645
            throw new CertificateEncodingException(e.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   646
      }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   647
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   648
90ce3da70b43 Initial load
duke
parents:
diff changeset
   649
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   650
     * Checks that the certificate is currently valid, i.e. the current
90ce3da70b43 Initial load
duke
parents:
diff changeset
   651
     * time is within the specified validity period.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   652
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   653
     * @exception CertificateExpiredException if the certificate has expired.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   654
     * @exception CertificateNotYetValidException if the certificate is not
90ce3da70b43 Initial load
duke
parents:
diff changeset
   655
     * yet valid.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   656
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   657
    public void checkValidity()
90ce3da70b43 Initial load
duke
parents:
diff changeset
   658
    throws CertificateExpiredException, CertificateNotYetValidException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   659
        Date date = new Date();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   660
        checkValidity(date);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   661
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   662
90ce3da70b43 Initial load
duke
parents:
diff changeset
   663
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   664
     * Checks that the specified date is within the certificate's
90ce3da70b43 Initial load
duke
parents:
diff changeset
   665
     * validity period, or basically if the certificate would be
90ce3da70b43 Initial load
duke
parents:
diff changeset
   666
     * valid at the specified date/time.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   667
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   668
     * @param date the Date to check against to see if this certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   669
     *        is valid at that date/time.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   670
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   671
     * @exception CertificateExpiredException if the certificate has expired
90ce3da70b43 Initial load
duke
parents:
diff changeset
   672
     * with respect to the <code>date</code> supplied.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   673
     * @exception CertificateNotYetValidException if the certificate is not
90ce3da70b43 Initial load
duke
parents:
diff changeset
   674
     * yet valid with respect to the <code>date</code> supplied.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   675
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   676
    public void checkValidity(Date date)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   677
    throws CertificateExpiredException, CertificateNotYetValidException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   678
90ce3da70b43 Initial load
duke
parents:
diff changeset
   679
        CertificateValidity interval = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   680
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   681
            interval = (CertificateValidity)info.get(CertificateValidity.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   682
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   683
            throw new CertificateNotYetValidException("Incorrect validity period");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   684
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   685
        if (interval == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   686
            throw new CertificateNotYetValidException("Null validity period");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   687
        interval.valid(date);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   688
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   689
90ce3da70b43 Initial load
duke
parents:
diff changeset
   690
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   691
     * Return the requested attribute from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   692
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   693
     * Note that the X509CertInfo is not cloned for performance reasons.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   694
     * Callers must ensure that they do not modify it. All other
90ce3da70b43 Initial load
duke
parents:
diff changeset
   695
     * attributes are cloned.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   696
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   697
     * @param name the name of the attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   698
     * @exception CertificateParsingException on invalid attribute identifier.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   699
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   700
    public Object get(String name)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   701
    throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   702
        X509AttributeName attr = new X509AttributeName(name);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   703
        String id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   704
        if (!(id.equalsIgnoreCase(NAME))) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   705
            throw new CertificateParsingException("Invalid root of "
90ce3da70b43 Initial load
duke
parents:
diff changeset
   706
                          + "attribute name, expected [" + NAME +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   707
                          "], received " + "[" + id + "]");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   708
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   709
        attr = new X509AttributeName(attr.getSuffix());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   710
        id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   711
90ce3da70b43 Initial load
duke
parents:
diff changeset
   712
        if (id.equalsIgnoreCase(INFO)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   713
            if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   714
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   715
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   716
            if (attr.getSuffix() != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   717
                try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   718
                    return info.get(attr.getSuffix());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   719
                } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   720
                    throw new CertificateParsingException(e.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   721
                } catch (CertificateException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   722
                    throw new CertificateParsingException(e.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   723
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   724
            } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   725
                return info;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   726
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   727
        } else if (id.equalsIgnoreCase(ALG_ID)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   728
            return(algId);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   729
        } else if (id.equalsIgnoreCase(SIGNATURE)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   730
            if (signature != null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   731
                return signature.clone();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   732
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
   733
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   734
        } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   735
            if (signedCert != null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   736
                return signedCert.clone();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   737
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
   738
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   739
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   740
            throw new CertificateParsingException("Attribute name not "
90ce3da70b43 Initial load
duke
parents:
diff changeset
   741
                 + "recognized or get() not allowed for the same: " + id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   742
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   743
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   744
90ce3da70b43 Initial load
duke
parents:
diff changeset
   745
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   746
     * Set the requested attribute in the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   747
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   748
     * @param name the name of the attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   749
     * @param obj the value of the attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   750
     * @exception CertificateException on invalid attribute identifier.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   751
     * @exception IOException on encoding error of attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   752
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   753
    public void set(String name, Object obj)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   754
    throws CertificateException, IOException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   755
        // check if immutable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   756
        if (readOnly)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   757
            throw new CertificateException("cannot over-write existing"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   758
                                           + " certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   759
90ce3da70b43 Initial load
duke
parents:
diff changeset
   760
        X509AttributeName attr = new X509AttributeName(name);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   761
        String id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   762
        if (!(id.equalsIgnoreCase(NAME))) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   763
            throw new CertificateException("Invalid root of attribute name,"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   764
                           + " expected [" + NAME + "], received " + id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   765
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   766
        attr = new X509AttributeName(attr.getSuffix());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   767
        id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   768
90ce3da70b43 Initial load
duke
parents:
diff changeset
   769
        if (id.equalsIgnoreCase(INFO)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   770
            if (attr.getSuffix() == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   771
                if (!(obj instanceof X509CertInfo)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   772
                    throw new CertificateException("Attribute value should"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   773
                                    + " be of type X509CertInfo.");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   774
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   775
                info = (X509CertInfo)obj;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   776
                signedCert = null;  //reset this as certificate data has changed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   777
            } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   778
                info.set(attr.getSuffix(), obj);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   779
                signedCert = null;  //reset this as certificate data has changed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   780
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   781
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   782
            throw new CertificateException("Attribute name not recognized or " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   783
                              "set() not allowed for the same: " + id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   784
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   785
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   786
90ce3da70b43 Initial load
duke
parents:
diff changeset
   787
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   788
     * Delete the requested attribute from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   789
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   790
     * @param name the name of the attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   791
     * @exception CertificateException on invalid attribute identifier.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   792
     * @exception IOException on other errors.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   793
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   794
    public void delete(String name)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   795
    throws CertificateException, IOException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   796
        // check if immutable
90ce3da70b43 Initial load
duke
parents:
diff changeset
   797
        if (readOnly)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   798
            throw new CertificateException("cannot over-write existing"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   799
                                           + " certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   800
90ce3da70b43 Initial load
duke
parents:
diff changeset
   801
        X509AttributeName attr = new X509AttributeName(name);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   802
        String id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   803
        if (!(id.equalsIgnoreCase(NAME))) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   804
            throw new CertificateException("Invalid root of attribute name,"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   805
                                   + " expected ["
90ce3da70b43 Initial load
duke
parents:
diff changeset
   806
                                   + NAME + "], received " + id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   807
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   808
        attr = new X509AttributeName(attr.getSuffix());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   809
        id = attr.getPrefix();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   810
90ce3da70b43 Initial load
duke
parents:
diff changeset
   811
        if (id.equalsIgnoreCase(INFO)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   812
            if (attr.getSuffix() != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   813
                info = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   814
            } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   815
                info.delete(attr.getSuffix());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   816
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   817
        } else if (id.equalsIgnoreCase(ALG_ID)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   818
            algId = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   819
        } else if (id.equalsIgnoreCase(SIGNATURE)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   820
            signature = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   821
        } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   822
            signedCert = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   823
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   824
            throw new CertificateException("Attribute name not recognized or " +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   825
                              "delete() not allowed for the same: " + id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   826
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   827
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   828
90ce3da70b43 Initial load
duke
parents:
diff changeset
   829
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   830
     * Return an enumeration of names of attributes existing within this
90ce3da70b43 Initial load
duke
parents:
diff changeset
   831
     * attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   832
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   833
    public Enumeration<String> getElements() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   834
        AttributeNameEnumeration elements = new AttributeNameEnumeration();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   835
        elements.addElement(NAME + DOT + INFO);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   836
        elements.addElement(NAME + DOT + ALG_ID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   837
        elements.addElement(NAME + DOT + SIGNATURE);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   838
        elements.addElement(NAME + DOT + SIGNED_CERT);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   839
90ce3da70b43 Initial load
duke
parents:
diff changeset
   840
        return elements.elements();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   841
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   842
90ce3da70b43 Initial load
duke
parents:
diff changeset
   843
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   844
     * Return the name of this attribute.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   845
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   846
    public String getName() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   847
        return(NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   848
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   849
90ce3da70b43 Initial load
duke
parents:
diff changeset
   850
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   851
     * Returns a printable representation of the certificate.  This does not
90ce3da70b43 Initial load
duke
parents:
diff changeset
   852
     * contain all the information available to distinguish this from any
90ce3da70b43 Initial load
duke
parents:
diff changeset
   853
     * other certificate.  The certificate must be fully constructed
90ce3da70b43 Initial load
duke
parents:
diff changeset
   854
     * before this function may be called.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   855
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   856
    public String toString() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   857
        if (info == null || algId == null || signature == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   858
            return "";
90ce3da70b43 Initial load
duke
parents:
diff changeset
   859
90ce3da70b43 Initial load
duke
parents:
diff changeset
   860
        HexDumpEncoder encoder = new HexDumpEncoder();
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
   861
        return "[\n" + info + '\n' +
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
   862
            "  Algorithm: [" + algId + "]\n" +
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
   863
            "  Signature:\n" + encoder.encodeBuffer(signature) + "\n]";
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   864
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   865
90ce3da70b43 Initial load
duke
parents:
diff changeset
   866
    // the strongly typed gets, as per java.security.cert.X509Certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
   867
90ce3da70b43 Initial load
duke
parents:
diff changeset
   868
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   869
     * Gets the publickey from this certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   870
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   871
     * @return the publickey.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   872
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   873
    public PublicKey getPublicKey() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   874
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   875
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   876
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   877
            PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
90ce3da70b43 Initial load
duke
parents:
diff changeset
   878
                                + DOT + CertificateX509Key.KEY);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   879
            return key;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   880
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   881
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   882
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   883
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   884
90ce3da70b43 Initial load
duke
parents:
diff changeset
   885
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   886
     * Gets the version number from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   887
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   888
     * @return the version number, i.e. 1, 2 or 3.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   889
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   890
    public int getVersion() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   891
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   892
            return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   893
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   894
            int vers = ((Integer)info.get(CertificateVersion.NAME
90ce3da70b43 Initial load
duke
parents:
diff changeset
   895
                        + DOT + CertificateVersion.VERSION)).intValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   896
            return vers+1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   897
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   898
            return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   899
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   900
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   901
90ce3da70b43 Initial load
duke
parents:
diff changeset
   902
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   903
     * Gets the serial number from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   904
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   905
     * @return the serial number.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   906
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   907
    public BigInteger getSerialNumber() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   908
        SerialNumber ser = getSerialNumberObject();
90ce3da70b43 Initial load
duke
parents:
diff changeset
   909
90ce3da70b43 Initial load
duke
parents:
diff changeset
   910
        return ser != null ? ser.getNumber() : null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   911
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   912
90ce3da70b43 Initial load
duke
parents:
diff changeset
   913
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   914
     * Gets the serial number from the certificate as
90ce3da70b43 Initial load
duke
parents:
diff changeset
   915
     * a SerialNumber object.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   916
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   917
     * @return the serial number.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   918
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   919
    public SerialNumber getSerialNumberObject() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   920
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   921
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   922
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   923
            SerialNumber ser = (SerialNumber)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
   924
                              CertificateSerialNumber.NAME + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
   925
                              CertificateSerialNumber.NUMBER);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   926
           return ser;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   927
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   928
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   929
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   930
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   931
90ce3da70b43 Initial load
duke
parents:
diff changeset
   932
90ce3da70b43 Initial load
duke
parents:
diff changeset
   933
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   934
     * Gets the subject distinguished name from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   935
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   936
     * @return the subject name.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   937
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   938
    public Principal getSubjectDN() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   939
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   940
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   941
        try {
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   942
            Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT +
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   943
                                                    X509CertInfo.DN_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   944
            return subject;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   945
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   946
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   947
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   948
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   949
90ce3da70b43 Initial load
duke
parents:
diff changeset
   950
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   951
     * Get subject name as X500Principal. Overrides implementation in
90ce3da70b43 Initial load
duke
parents:
diff changeset
   952
     * X509Certificate with a slightly more efficient version that is
90ce3da70b43 Initial load
duke
parents:
diff changeset
   953
     * also aware of X509CertImpl mutability.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   954
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   955
    public X500Principal getSubjectX500Principal() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   956
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   957
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   958
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   959
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   960
            X500Principal subject = (X500Principal)info.get(
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   961
                                            X509CertInfo.SUBJECT + DOT +
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   962
                                            "x500principal");
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   963
            return subject;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   964
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   965
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   966
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   967
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   968
90ce3da70b43 Initial load
duke
parents:
diff changeset
   969
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   970
     * Gets the issuer distinguished name from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   971
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
   972
     * @return the issuer name.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   973
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   974
    public Principal getIssuerDN() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   975
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   976
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   977
        try {
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   978
            Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT +
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   979
                                                   X509CertInfo.DN_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   980
            return issuer;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   981
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   982
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   983
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   984
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   985
90ce3da70b43 Initial load
duke
parents:
diff changeset
   986
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
   987
     * Get issuer name as X500Principal. Overrides implementation in
90ce3da70b43 Initial load
duke
parents:
diff changeset
   988
     * X509Certificate with a slightly more efficient version that is
90ce3da70b43 Initial load
duke
parents:
diff changeset
   989
     * also aware of X509CertImpl mutability.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   990
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
   991
    public X500Principal getIssuerX500Principal() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   992
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   993
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   994
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   995
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   996
            X500Principal issuer = (X500Principal)info.get(
14421
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   997
                                            X509CertInfo.ISSUER + DOT +
a64b2cc9d429 7198416: CertificateIssuerName and CertificateSubjectName are redundant
mullan
parents: 14342
diff changeset
   998
                                            "x500principal");
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   999
            return issuer;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1000
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1001
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1002
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1003
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1004
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1005
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1006
     * Gets the notBefore date from the validity period of the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1007
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1008
     * @return the start date of the validity period.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1009
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1010
    public Date getNotBefore() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1011
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1012
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1013
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1014
            Date d = (Date) info.get(CertificateValidity.NAME + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1015
                                        CertificateValidity.NOT_BEFORE);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1016
            return d;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1017
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1018
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1019
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1020
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1021
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1022
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1023
     * Gets the notAfter date from the validity period of the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1024
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1025
     * @return the end date of the validity period.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1026
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1027
    public Date getNotAfter() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1028
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1029
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1030
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1031
            Date d = (Date) info.get(CertificateValidity.NAME + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1032
                                     CertificateValidity.NOT_AFTER);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1033
            return d;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1034
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1035
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1036
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1037
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1038
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1039
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1040
     * Gets the DER encoded certificate informations, the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1041
     * <code>tbsCertificate</code> from this certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1042
     * This can be used to verify the signature independently.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1043
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1044
     * @return the DER encoded certificate information.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1045
     * @exception CertificateEncodingException if an encoding error occurs.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1046
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1047
    public byte[] getTBSCertificate() throws CertificateEncodingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1048
        if (info != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1049
            return info.getEncodedInfo();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1050
        } else
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1051
            throw new CertificateEncodingException("Uninitialized certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1052
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1053
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1054
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1055
     * Gets the raw Signature bits from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1056
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1057
     * @return the signature.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1058
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1059
    public byte[] getSignature() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1060
        if (signature == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1061
            return null;
35283
c5082624b79f 8074068: Cleanup in java.base/share/classes/sun/security/x509/
igerasim
parents: 34687
diff changeset
  1062
        return signature.clone();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1063
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1064
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1065
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1066
     * Gets the signature algorithm name for the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1067
     * signature algorithm.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1068
     * For example, the string "SHA-1/DSA" or "DSS".
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1069
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1070
     * @return the signature algorithm name.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1071
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1072
    public String getSigAlgName() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1073
        if (algId == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1074
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1075
        return (algId.getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1076
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1077
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1078
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1079
     * Gets the signature algorithm OID string from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1080
     * For example, the string "1.2.840.10040.4.3"
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1081
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1082
     * @return the signature algorithm oid string.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1083
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1084
    public String getSigAlgOID() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1085
        if (algId == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1086
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1087
        ObjectIdentifier oid = algId.getOID();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1088
        return (oid.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1089
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1090
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1091
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1092
     * Gets the DER encoded signature algorithm parameters from this
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1093
     * certificate's signature algorithm.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1094
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1095
     * @return the DER encoded signature algorithm parameters, or
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1096
     *         null if no parameters are present.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1097
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1098
    public byte[] getSigAlgParams() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1099
        if (algId == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1100
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1101
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1102
            return algId.getEncodedParams();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1103
        } catch (IOException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1104
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1105
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1106
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1107
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1108
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1109
     * Gets the Issuer Unique Identity from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1110
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1111
     * @return the Issuer Unique Identity.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1112
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1113
    public boolean[] getIssuerUniqueID() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1114
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1115
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1116
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1117
            UniqueIdentity id = (UniqueIdentity)info.get(
13789
639c51fe428c 4647343: IDENT variable in sun.security.x509 classes not used
mullan
parents: 13406
diff changeset
  1118
                                 X509CertInfo.ISSUER_ID);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1119
            if (id == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1120
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1121
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1122
                return (id.getId());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1123
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1124
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1125
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1126
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1127
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1128
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1129
     * Gets the Subject Unique Identity from the certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1130
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1131
     * @return the Subject Unique Identity.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1132
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1133
    public boolean[] getSubjectUniqueID() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1134
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1135
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1136
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1137
            UniqueIdentity id = (UniqueIdentity)info.get(
13789
639c51fe428c 4647343: IDENT variable in sun.security.x509 classes not used
mullan
parents: 13406
diff changeset
  1138
                                 X509CertInfo.SUBJECT_ID);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1139
            if (id == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1140
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1141
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1142
                return (id.getId());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1143
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1144
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1145
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1146
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1147
16492
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1148
    public KeyIdentifier getAuthKeyId() {
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1149
        AuthorityKeyIdentifierExtension aki
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1150
            = getAuthorityKeyIdentifierExtension();
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1151
        if (aki != null) {
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1152
            try {
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1153
                return (KeyIdentifier)aki.get(
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1154
                    AuthorityKeyIdentifierExtension.KEY_ID);
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1155
            } catch (IOException ioe) {} // not possible
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1156
        }
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1157
        return null;
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1158
    }
4cd9aa345503 8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents: 16020
diff changeset
  1159
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1160
    /**
21819
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1161
     * Returns the subject's key identifier, or null
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1162
     */
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1163
    public KeyIdentifier getSubjectKeyId() {
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1164
        SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension();
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1165
        if (ski != null) {
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1166
            try {
22041
3638966a5c02 8030082: Fix raw types lint warnings, etc. in various sun.security libraries
darcy
parents: 21819
diff changeset
  1167
                return ski.get(SubjectKeyIdentifierExtension.KEY_ID);
21819
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1168
            } catch (IOException ioe) {} // not possible
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1169
        }
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1170
        return null;
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1171
    }
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1172
8cd757e836d8 8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents: 20177
diff changeset
  1173
    /**
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1174
     * Get AuthorityKeyIdentifier extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1175
     * @return AuthorityKeyIdentifier object or null (if no such object
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1176
     * in certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1177
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1178
    public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1179
    {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1180
        return (AuthorityKeyIdentifierExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1181
            getExtension(PKIXExtensions.AuthorityKey_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1182
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1183
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1184
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1185
     * Get BasicConstraints extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1186
     * @return BasicConstraints object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1187
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1188
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1189
    public BasicConstraintsExtension getBasicConstraintsExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1190
        return (BasicConstraintsExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1191
            getExtension(PKIXExtensions.BasicConstraints_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1192
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1193
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1194
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1195
     * Get CertificatePoliciesExtension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1196
     * @return CertificatePoliciesExtension or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1197
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1198
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1199
    public CertificatePoliciesExtension getCertificatePoliciesExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1200
        return (CertificatePoliciesExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1201
            getExtension(PKIXExtensions.CertificatePolicies_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1202
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1203
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1204
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1205
     * Get ExtendedKeyUsage extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1206
     * @return ExtendedKeyUsage extension object or null (if no such object
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1207
     * in certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1208
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1209
    public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1210
        return (ExtendedKeyUsageExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1211
            getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1212
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1213
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1214
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1215
     * Get IssuerAlternativeName extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1216
     * @return IssuerAlternativeName object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1217
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1218
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1219
    public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1220
        return (IssuerAlternativeNameExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1221
            getExtension(PKIXExtensions.IssuerAlternativeName_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1222
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1223
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1224
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1225
     * Get NameConstraints extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1226
     * @return NameConstraints object or null (if no such object in certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1227
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1228
    public NameConstraintsExtension getNameConstraintsExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1229
        return (NameConstraintsExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1230
            getExtension(PKIXExtensions.NameConstraints_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1231
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1232
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1233
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1234
     * Get PolicyConstraints extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1235
     * @return PolicyConstraints object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1236
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1237
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1238
    public PolicyConstraintsExtension getPolicyConstraintsExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1239
        return (PolicyConstraintsExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1240
            getExtension(PKIXExtensions.PolicyConstraints_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1241
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1242
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1243
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1244
     * Get PolicyMappingsExtension extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1245
     * @return PolicyMappingsExtension object or null (if no such object
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1246
     * in certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1247
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1248
    public PolicyMappingsExtension getPolicyMappingsExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1249
        return (PolicyMappingsExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1250
            getExtension(PKIXExtensions.PolicyMappings_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1251
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1252
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1253
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1254
     * Get PrivateKeyUsage extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1255
     * @return PrivateKeyUsage object or null (if no such object in certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1256
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1257
    public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1258
        return (PrivateKeyUsageExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1259
            getExtension(PKIXExtensions.PrivateKeyUsage_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1260
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1261
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1262
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1263
     * Get SubjectAlternativeName extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1264
     * @return SubjectAlternativeName object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1265
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1266
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1267
    public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1268
    {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1269
        return (SubjectAlternativeNameExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1270
            getExtension(PKIXExtensions.SubjectAlternativeName_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1271
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1272
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1273
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1274
     * Get SubjectKeyIdentifier extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1275
     * @return SubjectKeyIdentifier object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1276
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1277
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1278
    public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1279
        return (SubjectKeyIdentifierExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1280
            getExtension(PKIXExtensions.SubjectKey_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1281
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1282
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1283
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1284
     * Get CRLDistributionPoints extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1285
     * @return CRLDistributionPoints object or null (if no such object in
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1286
     * certificate)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1287
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1288
    public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1289
        return (CRLDistributionPointsExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1290
            getExtension(PKIXExtensions.CRLDistributionPoints_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1291
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1292
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1293
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1294
     * Return true if a critical extension is found that is
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1295
     * not supported, otherwise return false.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1296
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1297
    public boolean hasUnsupportedCriticalExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1298
        if (info == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1299
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1300
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1301
            CertificateExtensions exts = (CertificateExtensions)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1302
                                         CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1303
            if (exts == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1304
                return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1305
            return exts.hasUnsupportedCriticalExtension();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1306
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1307
            return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1308
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1309
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1310
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1311
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1312
     * Gets a Set of the extension(s) marked CRITICAL in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1313
     * certificate. In the returned set, each extension is
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1314
     * represented by its OID string.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1315
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1316
     * @return a set of the extension oid strings in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1317
     * certificate that are marked critical.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1318
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1319
    public Set<String> getCriticalExtensionOIDs() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1320
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1321
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1322
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1323
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1324
            CertificateExtensions exts = (CertificateExtensions)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1325
                                         CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1326
            if (exts == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1327
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1328
            }
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1329
            Set<String> extSet = new TreeSet<>();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1330
            for (Extension ex : exts.getAllExtensions()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1331
                if (ex.isCritical()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1332
                    extSet.add(ex.getExtensionId().toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1333
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1334
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1335
            return extSet;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1336
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1337
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1338
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1339
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1340
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1341
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1342
     * Gets a Set of the extension(s) marked NON-CRITICAL in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1343
     * certificate. In the returned set, each extension is
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1344
     * represented by its OID string.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1345
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1346
     * @return a set of the extension oid strings in the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1347
     * certificate that are NOT marked critical.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1348
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1349
    public Set<String> getNonCriticalExtensionOIDs() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1350
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1351
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1352
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1353
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1354
            CertificateExtensions exts = (CertificateExtensions)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1355
                                         CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1356
            if (exts == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1357
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1358
            }
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1359
            Set<String> extSet = new TreeSet<>();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1360
            for (Extension ex : exts.getAllExtensions()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1361
                if (!ex.isCritical()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1362
                    extSet.add(ex.getExtensionId().toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1363
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1364
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1365
            extSet.addAll(exts.getUnparseableExtensions().keySet());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1366
            return extSet;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1367
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1368
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1369
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1370
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1371
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1372
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1373
     * Gets the extension identified by the given ObjectIdentifier
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1374
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1375
     * @param oid the Object Identifier value for the extension.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1376
     * @return Extension or null if certificate does not contain this
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1377
     *         extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1378
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1379
    public Extension getExtension(ObjectIdentifier oid) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1380
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1381
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1382
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1383
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1384
            CertificateExtensions extensions;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1385
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1386
                extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1387
            } catch (CertificateException ce) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1388
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1389
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1390
            if (extensions == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1391
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1392
            } else {
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1393
                Extension ex = extensions.getExtension(oid.toString());
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1394
                if (ex != null) {
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1395
                    return ex;
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1396
                }
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1397
                for (Extension ex2: extensions.getAllExtensions()) {
31426
9cd672654f97 8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents: 30649
diff changeset
  1398
                    if (ex2.getExtensionId().equals(oid)) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1399
                        //XXXX May want to consider cloning this
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1400
                        return ex2;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1401
                    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1402
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1403
                /* no such extension in this certificate */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1404
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1405
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1406
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1407
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1408
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1409
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1410
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1411
    public Extension getUnparseableExtension(ObjectIdentifier oid) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1412
        if (info == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1413
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1414
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1415
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1416
            CertificateExtensions extensions;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1417
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1418
                extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1419
            } catch (CertificateException ce) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1420
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1421
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1422
            if (extensions == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1423
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1424
            } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1425
                return extensions.getUnparseableExtensions().get(oid.toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1426
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1427
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1428
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1429
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1430
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1431
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1432
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1433
     * Gets the DER encoded extension identified by the given
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1434
     * oid String.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1435
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1436
     * @param oid the Object Identifier value for the extension.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1437
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1438
    public byte[] getExtensionValue(String oid) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1439
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1440
            ObjectIdentifier findOID = new ObjectIdentifier(oid);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1441
            String extAlias = OIDMap.getName(findOID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1442
            Extension certExt = null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1443
            CertificateExtensions exts = (CertificateExtensions)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1444
                                     CertificateExtensions.NAME);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1445
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1446
            if (extAlias == null) { // may be unknown
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1447
                // get the extensions, search thru' for this oid
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1448
                if (exts == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1449
                    return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1450
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1451
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1452
                for (Extension ex : exts.getAllExtensions()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1453
                    ObjectIdentifier inCertOID = ex.getExtensionId();
31426
9cd672654f97 8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents: 30649
diff changeset
  1454
                    if (inCertOID.equals(findOID)) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1455
                        certExt = ex;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1456
                        break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1457
                    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1458
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1459
            } else { // there's sub-class that can handle this extension
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1460
                try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1461
                    certExt = (Extension)this.get(extAlias);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1462
                } catch (CertificateException e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1463
                    // get() throws an Exception instead of returning null, ignore
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1464
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1465
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1466
            if (certExt == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1467
                if (exts != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1468
                    certExt = exts.getUnparseableExtensions().get(oid);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1469
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1470
                if (certExt == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1471
                    return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1472
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1473
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1474
            byte[] extData = certExt.getExtensionValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1475
            if (extData == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1476
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1477
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1478
            DerOutputStream out = new DerOutputStream();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1479
            out.putOctetString(extData);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1480
            return out.toByteArray();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1481
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1482
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1483
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1484
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1485
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1486
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1487
     * Get a boolean array representing the bits of the KeyUsage extension,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1488
     * (oid = 2.5.29.15).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1489
     * @return the bit values of this extension as an array of booleans.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1490
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1491
    public boolean[] getKeyUsage() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1492
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1493
            String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1494
            if (extAlias == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1495
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1496
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1497
            KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1498
            if (certExt == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1499
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1500
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1501
            boolean[] ret = certExt.getBits();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1502
            if (ret.length < NUM_STANDARD_KEY_USAGE) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1503
                boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1504
                System.arraycopy(ret, 0, usageBits, 0, ret.length);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1505
                ret = usageBits;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1506
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1507
            return ret;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1508
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1509
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1510
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1511
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1512
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1513
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1514
     * This method are the overridden implementation of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1515
     * getExtendedKeyUsage method in X509Certificate in the Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1516
     * provider. It is better performance-wise since it returns cached
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1517
     * values.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1518
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1519
    public synchronized List<String> getExtendedKeyUsage()
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1520
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1521
        if (readOnly && extKeyUsage != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1522
            return extKeyUsage;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1523
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1524
            ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1525
            if (ext == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1526
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1527
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1528
            extKeyUsage =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1529
                Collections.unmodifiableList(ext.getExtendedKeyUsage());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1530
            return extKeyUsage;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1531
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1532
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1533
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1534
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1535
     * This static method is the default implementation of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1536
     * getExtendedKeyUsage method in X509Certificate. A
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1537
     * X509Certificate provider generally should overwrite this to
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1538
     * provide among other things caching for better performance.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1539
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1540
    public static List<String> getExtendedKeyUsage(X509Certificate cert)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1541
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1542
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1543
            byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1544
            if (ext == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1545
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1546
            DerValue val = new DerValue(ext);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1547
            byte[] data = val.getOctetString();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1548
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1549
            ExtendedKeyUsageExtension ekuExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1550
                new ExtendedKeyUsageExtension(Boolean.FALSE, data);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1551
            return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1552
        } catch (IOException ioe) {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1553
            throw new CertificateParsingException(ioe);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1554
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1555
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1556
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1557
    /**
47478
438e0c9f2f17 8190382: fix small typographic errors in comments
smarks
parents: 47216
diff changeset
  1558
     * Get the certificate constraints path length from
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1559
     * the critical BasicConstraints extension, (oid = 2.5.29.19).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1560
     * @return the length of the constraint.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1561
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1562
    public int getBasicConstraints() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1563
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1564
            String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1565
            if (extAlias == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1566
                return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1567
            BasicConstraintsExtension certExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1568
                        (BasicConstraintsExtension)this.get(extAlias);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1569
            if (certExt == null)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1570
                return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1571
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1572
            if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1573
                 ).booleanValue() == true)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1574
                return ((Integer)certExt.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1575
                        BasicConstraintsExtension.PATH_LEN)).intValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1576
            else
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1577
                return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1578
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1579
            return -1;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1580
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1581
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1582
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1583
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1584
     * Converts a GeneralNames structure into an immutable Collection of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1585
     * alternative names (subject or issuer) in the form required by
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1586
     * {@link #getSubjectAlternativeNames} or
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1587
     * {@link #getIssuerAlternativeNames}.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1588
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1589
     * @param names the GeneralNames to be converted
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1590
     * @return an immutable Collection of alternative names
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1591
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1592
    private static Collection<List<?>> makeAltNames(GeneralNames names) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1593
        if (names.isEmpty()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1594
            return Collections.<List<?>>emptySet();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1595
        }
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1596
        List<List<?>> newNames = new ArrayList<>();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1597
        for (GeneralName gname : names.names()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1598
            GeneralNameInterface name = gname.getName();
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1599
            List<Object> nameEntry = new ArrayList<>(2);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1600
            nameEntry.add(Integer.valueOf(name.getType()));
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1601
            switch (name.getType()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1602
            case GeneralNameInterface.NAME_RFC822:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1603
                nameEntry.add(((RFC822Name) name).getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1604
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1605
            case GeneralNameInterface.NAME_DNS:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1606
                nameEntry.add(((DNSName) name).getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1607
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1608
            case GeneralNameInterface.NAME_DIRECTORY:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1609
                nameEntry.add(((X500Name) name).getRFC2253Name());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1610
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1611
            case GeneralNameInterface.NAME_URI:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1612
                nameEntry.add(((URIName) name).getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1613
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1614
            case GeneralNameInterface.NAME_IP:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1615
                try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1616
                    nameEntry.add(((IPAddressName) name).getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1617
                } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1618
                    // IPAddressName in cert is bogus
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1619
                    throw new RuntimeException("IPAddress cannot be parsed",
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1620
                        ioe);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1621
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1622
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1623
            case GeneralNameInterface.NAME_OID:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1624
                nameEntry.add(((OIDName) name).getOID().toString());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1625
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1626
            default:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1627
                // add DER encoded form
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1628
                DerOutputStream derOut = new DerOutputStream();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1629
                try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1630
                    name.encode(derOut);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1631
                } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1632
                    // should not occur since name has already been decoded
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1633
                    // from cert (this would indicate a bug in our code)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1634
                    throw new RuntimeException("name cannot be encoded", ioe);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1635
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1636
                nameEntry.add(derOut.toByteArray());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1637
                break;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1638
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1639
            newNames.add(Collections.unmodifiableList(nameEntry));
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1640
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1641
        return Collections.unmodifiableCollection(newNames);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1642
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1643
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1644
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1645
     * Checks a Collection of altNames and clones any name entries of type
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1646
     * byte [].
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1647
     */ // only partially generified due to javac bug
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1648
    private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1649
        boolean mustClone = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1650
        for (List<?> nameEntry : altNames) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1651
            if (nameEntry.get(1) instanceof byte[]) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1652
                // must clone names
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1653
                mustClone = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1654
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1655
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1656
        if (mustClone) {
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1657
            List<List<?>> namesCopy = new ArrayList<>();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1658
            for (List<?> nameEntry : altNames) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1659
                Object nameObject = nameEntry.get(1);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1660
                if (nameObject instanceof byte[]) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1661
                    List<Object> nameEntryCopy =
13038
e6024efff1b6 7143872: Improve certificate extension processing
weijun
parents: 5506
diff changeset
  1662
                                        new ArrayList<>(nameEntry);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1663
                    nameEntryCopy.set(1, ((byte[])nameObject).clone());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1664
                    namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1665
                } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1666
                    namesCopy.add(nameEntry);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1667
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1668
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1669
            return Collections.unmodifiableCollection(namesCopy);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1670
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1671
            return altNames;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1672
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1673
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1674
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1675
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1676
     * This method are the overridden implementation of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1677
     * getSubjectAlternativeNames method in X509Certificate in the Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1678
     * provider. It is better performance-wise since it returns cached
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1679
     * values.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1680
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1681
    public synchronized Collection<List<?>> getSubjectAlternativeNames()
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1682
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1683
        // return cached value if we can
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1684
        if (readOnly && subjectAlternativeNames != null)  {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1685
            return cloneAltNames(subjectAlternativeNames);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1686
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1687
        SubjectAlternativeNameExtension subjectAltNameExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1688
            getSubjectAlternativeNameExtension();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1689
        if (subjectAltNameExt == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1690
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1691
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1692
        GeneralNames names;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1693
        try {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1694
            names = subjectAltNameExt.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1695
                    SubjectAlternativeNameExtension.SUBJECT_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1696
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1697
            // should not occur
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1698
            return Collections.<List<?>>emptySet();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1699
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1700
        subjectAlternativeNames = makeAltNames(names);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1701
        return subjectAlternativeNames;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1702
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1703
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1704
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1705
     * This static method is the default implementation of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1706
     * getSubjectAlternaitveNames method in X509Certificate. A
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1707
     * X509Certificate provider generally should overwrite this to
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1708
     * provide among other things caching for better performance.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1709
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1710
    public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1711
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1712
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1713
            byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1714
            if (ext == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1715
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1716
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1717
            DerValue val = new DerValue(ext);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1718
            byte[] data = val.getOctetString();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1719
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1720
            SubjectAlternativeNameExtension subjectAltNameExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1721
                new SubjectAlternativeNameExtension(Boolean.FALSE,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1722
                                                    data);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1723
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1724
            GeneralNames names;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1725
            try {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1726
                names = subjectAltNameExt.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1727
                        SubjectAlternativeNameExtension.SUBJECT_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1728
            }  catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1729
                // should not occur
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1730
                return Collections.<List<?>>emptySet();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1731
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1732
            return makeAltNames(names);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1733
        } catch (IOException ioe) {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1734
            throw new CertificateParsingException(ioe);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1735
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1736
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1737
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1738
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1739
     * This method are the overridden implementation of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1740
     * getIssuerAlternativeNames method in X509Certificate in the Sun
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1741
     * provider. It is better performance-wise since it returns cached
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1742
     * values.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1743
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1744
    public synchronized Collection<List<?>> getIssuerAlternativeNames()
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1745
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1746
        // return cached value if we can
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1747
        if (readOnly && issuerAlternativeNames != null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1748
            return cloneAltNames(issuerAlternativeNames);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1749
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1750
        IssuerAlternativeNameExtension issuerAltNameExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1751
            getIssuerAlternativeNameExtension();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1752
        if (issuerAltNameExt == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1753
            return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1754
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1755
        GeneralNames names;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1756
        try {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1757
            names = issuerAltNameExt.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1758
                    IssuerAlternativeNameExtension.ISSUER_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1759
        } catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1760
            // should not occur
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1761
            return Collections.<List<?>>emptySet();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1762
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1763
        issuerAlternativeNames = makeAltNames(names);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1764
        return issuerAlternativeNames;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1765
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1766
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1767
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1768
     * This static method is the default implementation of the
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1769
     * getIssuerAlternaitveNames method in X509Certificate. A
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1770
     * X509Certificate provider generally should overwrite this to
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1771
     * provide among other things caching for better performance.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1772
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1773
    public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1774
        throws CertificateParsingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1775
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1776
            byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1777
            if (ext == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1778
                return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1779
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1780
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1781
            DerValue val = new DerValue(ext);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1782
            byte[] data = val.getOctetString();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1783
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1784
            IssuerAlternativeNameExtension issuerAltNameExt =
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1785
                new IssuerAlternativeNameExtension(Boolean.FALSE,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1786
                                                    data);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1787
            GeneralNames names;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1788
            try {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1789
                names = issuerAltNameExt.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1790
                        IssuerAlternativeNameExtension.ISSUER_NAME);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1791
            }  catch (IOException ioe) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1792
                // should not occur
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1793
                return Collections.<List<?>>emptySet();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1794
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1795
            return makeAltNames(names);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1796
        } catch (IOException ioe) {
10336
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents: 5506
diff changeset
  1797
            throw new CertificateParsingException(ioe);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1798
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1799
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1800
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1801
    public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1802
        return (AuthorityInfoAccessExtension)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1803
            getExtension(PKIXExtensions.AuthInfoAccess_Id);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1804
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1805
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1806
    /************************************************************/
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1807
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1808
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1809
     * Cert is a SIGNED ASN.1 macro, a three elment sequence:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1810
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1811
     *  - Data to be signed (ToBeSigned) -- the "raw" cert
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1812
     *  - Signature algorithm (SigAlgId)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1813
     *  - The signature bits
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1814
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1815
     * This routine unmarshals the certificate, saving the signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1816
     * parts away for later verification.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1817
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1818
    private void parse(DerValue val)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1819
    throws CertificateException, IOException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1820
        // check if can over write the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1821
        if (readOnly)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1822
            throw new CertificateParsingException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1823
                      "cannot over-write existing certificate");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1824
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1825
        if (val.data == null || val.tag != DerValue.tag_Sequence)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1826
            throw new CertificateParsingException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1827
                      "invalid DER-encoded certificate data");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1828
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1829
        signedCert = val.toByteArray();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1830
        DerValue[] seq = new DerValue[3];
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1831
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1832
        seq[0] = val.data.getDerValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1833
        seq[1] = val.data.getDerValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1834
        seq[2] = val.data.getDerValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1835
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1836
        if (val.data.available() != 0) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1837
            throw new CertificateParsingException("signed overrun, bytes = "
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1838
                                     + val.data.available());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1839
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1840
        if (seq[0].tag != DerValue.tag_Sequence) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1841
            throw new CertificateParsingException("signed fields invalid");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1842
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1843
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1844
        algId = AlgorithmId.parse(seq[1]);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1845
        signature = seq[2].getBitString();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1846
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1847
        if (seq[1].data.available() != 0) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1848
            throw new CertificateParsingException("algid field overrun");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1849
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1850
        if (seq[2].data.available() != 0)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1851
            throw new CertificateParsingException("signed fields overrun");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1852
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1853
        // The CertificateInfo
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1854
        info = new X509CertInfo(seq[0]);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1855
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1856
        // the "inner" and "outer" signature algorithms must match
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1857
        AlgorithmId infoSigAlg = (AlgorithmId)info.get(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1858
                                              CertificateAlgorithmId.NAME
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1859
                                              + DOT +
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1860
                                              CertificateAlgorithmId.ALGORITHM);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1861
        if (! algId.equals(infoSigAlg))
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1862
            throw new CertificateException("Signature algorithm mismatch");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1863
        readOnly = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1864
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1865
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1866
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1867
     * Extract the subject or issuer X500Principal from an X509Certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1868
     * Parses the encoded form of the cert to preserve the principal's
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1869
     * ASN.1 encoding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1870
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1871
    private static X500Principal getX500Principal(X509Certificate cert,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1872
            boolean getIssuer) throws Exception {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1873
        byte[] encoded = cert.getEncoded();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1874
        DerInputStream derIn = new DerInputStream(encoded);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1875
        DerValue tbsCert = derIn.getSequence(3)[0];
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1876
        DerInputStream tbsIn = tbsCert.data;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1877
        DerValue tmp;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1878
        tmp = tbsIn.getDerValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1879
        // skip version number if present
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1880
        if (tmp.isContextSpecific((byte)0)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1881
          tmp = tbsIn.getDerValue();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1882
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1883
        // tmp always contains serial number now
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1884
        tmp = tbsIn.getDerValue();              // skip signature
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1885
        tmp = tbsIn.getDerValue();              // issuer
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1886
        if (getIssuer == false) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1887
            tmp = tbsIn.getDerValue();          // skip validity
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1888
            tmp = tbsIn.getDerValue();          // subject
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1889
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1890
        byte[] principalBytes = tmp.toByteArray();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1891
        return new X500Principal(principalBytes);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1892
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1893
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1894
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1895
     * Extract the subject X500Principal from an X509Certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1896
     * Called from java.security.cert.X509Certificate.getSubjectX500Principal().
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1897
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1898
    public static X500Principal getSubjectX500Principal(X509Certificate cert) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1899
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1900
            return getX500Principal(cert, false);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1901
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1902
            throw new RuntimeException("Could not parse subject", e);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1903
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1904
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1905
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1906
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1907
     * Extract the issuer X500Principal from an X509Certificate.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1908
     * Called from java.security.cert.X509Certificate.getIssuerX500Principal().
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1909
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1910
    public static X500Principal getIssuerX500Principal(X509Certificate cert) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1911
        try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1912
            return getX500Principal(cert, true);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1913
        } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1914
            throw new RuntimeException("Could not parse issuer", e);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1915
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1916
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1917
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1918
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1919
     * Returned the encoding of the given certificate for internal use.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1920
     * Callers must guarantee that they neither modify it nor expose it
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1921
     * to untrusted code. Uses getEncodedInternal() if the certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1922
     * is instance of X509CertImpl, getEncoded() otherwise.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1923
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1924
    public static byte[] getEncodedInternal(Certificate cert)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1925
            throws CertificateEncodingException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1926
        if (cert instanceof X509CertImpl) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1927
            return ((X509CertImpl)cert).getEncodedInternal();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1928
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1929
            return cert.getEncoded();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1930
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1931
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1932
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1933
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1934
     * Utility method to convert an arbitrary instance of X509Certificate
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1935
     * to a X509CertImpl. Does a cast if possible, otherwise reparses
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1936
     * the encoding.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1937
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1938
    public static X509CertImpl toImpl(X509Certificate cert)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1939
            throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1940
        if (cert instanceof X509CertImpl) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1941
            return (X509CertImpl)cert;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1942
        } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1943
            return X509Factory.intern(cert);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1944
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1945
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1946
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1947
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1948
     * Utility method to test if a certificate is self-issued. This is
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1949
     * the case iff the subject and issuer X500Principals are equal.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1950
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1951
    public static boolean isSelfIssued(X509Certificate cert) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1952
        X500Principal subject = cert.getSubjectX500Principal();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1953
        X500Principal issuer = cert.getIssuerX500Principal();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1954
        return subject.equals(issuer);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1955
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1956
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1957
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1958
     * Utility method to test if a certificate is self-signed. This is
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1959
     * the case iff the subject and issuer X500Principals are equal
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1960
     * AND the certificate's subject public key can be used to verify
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1961
     * the certificate. In case of exception, returns false.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1962
     */
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1963
    public static boolean isSelfSigned(X509Certificate cert,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1964
        String sigProvider) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1965
        if (isSelfIssued(cert)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1966
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1967
                if (sigProvider == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1968
                    cert.verify(cert.getPublicKey());
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1969
                } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1970
                    cert.verify(cert.getPublicKey(), sigProvider);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1971
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1972
                return true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1973
            } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1974
                // In case of exception, return false
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1975
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1976
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1977
        return false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1978
    }
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1979
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1980
    private ConcurrentHashMap<String,String> fingerprints =
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1981
            new ConcurrentHashMap<>(2);
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1982
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1983
    public String getFingerprint(String algorithm) {
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1984
        return fingerprints.computeIfAbsent(algorithm,
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 35283
diff changeset
  1985
            x -> getFingerprint(x, this));
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1986
    }
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1987
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1988
    /**
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1989
     * Gets the requested finger print of the certificate. The result
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1990
     * only contains 0-9 and A-F. No small case, no colon.
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1991
     */
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 35283
diff changeset
  1992
    public static String getFingerprint(String algorithm,
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 35283
diff changeset
  1993
            X509Certificate cert) {
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1994
        try {
37726
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 35283
diff changeset
  1995
            byte[] encCertInfo = cert.getEncoded();
bbecfff95ec3 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents: 35283
diff changeset
  1996
            MessageDigest md = MessageDigest.getInstance(algorithm);
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1997
            byte[] digest = md.digest(encCertInfo);
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  1998
            StringBuilder sb = new StringBuilder(digest.length * 2);
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  1999
            for (int i = 0; i < digest.length; i++) {
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2000
                byte2hex(digest[i], sb);
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2001
            }
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2002
            return sb.toString();
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2003
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2004
            // ignored
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2005
        }
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2006
        return "";
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2007
    }
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2008
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2009
    /**
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2010
     * Converts a byte to hex digit and writes to the supplied builder
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2011
     */
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2012
    private static void byte2hex(byte b, StringBuilder buf) {
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2013
        char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2014
                '9', 'A', 'B', 'C', 'D', 'E', 'F' };
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2015
        int high = ((b & 0xf0) >> 4);
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2016
        int low = (b & 0x0f);
30649
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2017
        buf.append(hexChars[high])
e7cc8f48f616 8080522: Optimize string operations in java.base/share/classes/sun/security/x509/
igerasim
parents: 30374
diff changeset
  2018
            .append(hexChars[low]);
20177
8ea486a4f36e 8011402: Move blacklisting certificate logic from hard code to data
weijun
parents: 16492
diff changeset
  2019
    }
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  2020
}