2
|
1 |
/*
|
|
2 |
* Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved.
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
10 |
*
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
15 |
* accompanied this code).
|
|
16 |
*
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
20 |
*
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
23 |
* have any questions.
|
|
24 |
*/
|
|
25 |
|
|
26 |
package sun.security.x509;
|
|
27 |
|
|
28 |
import java.io.BufferedReader;
|
|
29 |
import java.io.BufferedInputStream;
|
|
30 |
import java.io.ByteArrayOutputStream;
|
|
31 |
import java.io.IOException;
|
|
32 |
import java.io.InputStream;
|
|
33 |
import java.io.InputStreamReader;
|
|
34 |
import java.io.OutputStream;
|
|
35 |
import java.math.BigInteger;
|
|
36 |
import java.security.*;
|
|
37 |
import java.security.cert.*;
|
|
38 |
import java.security.cert.Certificate;
|
|
39 |
import java.util.*;
|
|
40 |
|
|
41 |
import javax.security.auth.x500.X500Principal;
|
|
42 |
|
|
43 |
import sun.misc.HexDumpEncoder;
|
|
44 |
import sun.misc.BASE64Decoder;
|
|
45 |
import sun.security.util.*;
|
|
46 |
import sun.security.provider.X509Factory;
|
|
47 |
|
|
48 |
/**
|
|
49 |
* The X509CertImpl class represents an X.509 certificate. These certificates
|
|
50 |
* are widely used to support authentication and other functionality in
|
|
51 |
* Internet security systems. Common applications include Privacy Enhanced
|
|
52 |
* Mail (PEM), Transport Layer Security (SSL), code signing for trusted
|
|
53 |
* software distribution, and Secure Electronic Transactions (SET). There
|
|
54 |
* is a commercial infrastructure ready to manage large scale deployments
|
|
55 |
* of X.509 identity certificates.
|
|
56 |
*
|
|
57 |
* <P>These certificates are managed and vouched for by <em>Certificate
|
|
58 |
* Authorities</em> (CAs). CAs are services which create certificates by
|
|
59 |
* placing data in the X.509 standard format and then digitally signing
|
|
60 |
* that data. Such signatures are quite difficult to forge. CAs act as
|
|
61 |
* trusted third parties, making introductions between agents who have no
|
|
62 |
* direct knowledge of each other. CA certificates are either signed by
|
|
63 |
* themselves, or by some other CA such as a "root" CA.
|
|
64 |
*
|
|
65 |
* <P>RFC 1422 is very informative, though it does not describe much
|
|
66 |
* of the recent work being done with X.509 certificates. That includes
|
|
67 |
* a 1996 version (X.509v3) and a variety of enhancements being made to
|
|
68 |
* facilitate an explosion of personal certificates used as "Internet
|
|
69 |
* Drivers' Licences", or with SET for credit card transactions.
|
|
70 |
*
|
|
71 |
* <P>More recent work includes the IETF PKIX Working Group efforts,
|
|
72 |
* especially RFC2459.
|
|
73 |
*
|
|
74 |
* @author Dave Brownell
|
|
75 |
* @author Amit Kapoor
|
|
76 |
* @author Hemma Prafullchandra
|
|
77 |
* @see X509CertInfo
|
|
78 |
*/
|
|
79 |
public class X509CertImpl extends X509Certificate implements DerEncoder {
|
|
80 |
|
|
81 |
private static final long serialVersionUID = -3457612960190864406L;
|
|
82 |
|
|
83 |
private static final String DOT = ".";
|
|
84 |
/**
|
|
85 |
* Public attribute names.
|
|
86 |
*/
|
|
87 |
public static final String NAME = "x509";
|
|
88 |
public static final String INFO = X509CertInfo.NAME;
|
|
89 |
public static final String ALG_ID = "algorithm";
|
|
90 |
public static final String SIGNATURE = "signature";
|
|
91 |
public static final String SIGNED_CERT = "signed_cert";
|
|
92 |
|
|
93 |
/**
|
|
94 |
* The following are defined for ease-of-use. These
|
|
95 |
* are the most frequently retrieved attributes.
|
|
96 |
*/
|
|
97 |
// x509.info.subject.dname
|
|
98 |
public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
|
|
99 |
X509CertInfo.SUBJECT + DOT +
|
|
100 |
CertificateSubjectName.DN_NAME;
|
|
101 |
// x509.info.issuer.dname
|
|
102 |
public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
|
|
103 |
X509CertInfo.ISSUER + DOT +
|
|
104 |
CertificateIssuerName.DN_NAME;
|
|
105 |
// x509.info.serialNumber.number
|
|
106 |
public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
|
|
107 |
X509CertInfo.SERIAL_NUMBER + DOT +
|
|
108 |
CertificateSerialNumber.NUMBER;
|
|
109 |
// x509.info.key.value
|
|
110 |
public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
|
|
111 |
X509CertInfo.KEY + DOT +
|
|
112 |
CertificateX509Key.KEY;
|
|
113 |
|
|
114 |
// x509.info.version.value
|
|
115 |
public static final String VERSION = NAME + DOT + INFO + DOT +
|
|
116 |
X509CertInfo.VERSION + DOT +
|
|
117 |
CertificateVersion.VERSION;
|
|
118 |
|
|
119 |
// x509.algorithm
|
|
120 |
public static final String SIG_ALG = NAME + DOT + ALG_ID;
|
|
121 |
|
|
122 |
// x509.signature
|
|
123 |
public static final String SIG = NAME + DOT + SIGNATURE;
|
|
124 |
|
|
125 |
// when we sign and decode we set this to true
|
|
126 |
// this is our means to make certificates immutable
|
|
127 |
private boolean readOnly = false;
|
|
128 |
|
|
129 |
// Certificate data, and its envelope
|
|
130 |
private byte[] signedCert = null;
|
|
131 |
protected X509CertInfo info = null;
|
|
132 |
protected AlgorithmId algId = null;
|
|
133 |
protected byte[] signature = null;
|
|
134 |
|
|
135 |
// recognized extension OIDS
|
|
136 |
private static final String KEY_USAGE_OID = "2.5.29.15";
|
|
137 |
private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
|
|
138 |
private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
|
|
139 |
private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
|
|
140 |
private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
|
|
141 |
private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
|
|
142 |
|
|
143 |
// number of standard key usage bits.
|
|
144 |
private static final int NUM_STANDARD_KEY_USAGE = 9;
|
|
145 |
|
|
146 |
// SubjectAlterntativeNames cache
|
|
147 |
private Collection<List<?>> subjectAlternativeNames;
|
|
148 |
|
|
149 |
// IssuerAlternativeNames cache
|
|
150 |
private Collection<List<?>> issuerAlternativeNames;
|
|
151 |
|
|
152 |
// ExtendedKeyUsage cache
|
|
153 |
private List<String> extKeyUsage;
|
|
154 |
|
|
155 |
// AuthorityInformationAccess cache
|
|
156 |
private Set<AccessDescription> authInfoAccess;
|
|
157 |
|
|
158 |
/**
|
|
159 |
* PublicKey that has previously been used to verify
|
|
160 |
* the signature of this certificate. Null if the certificate has not
|
|
161 |
* yet been verified.
|
|
162 |
*/
|
|
163 |
private PublicKey verifiedPublicKey;
|
|
164 |
/**
|
|
165 |
* If verifiedPublicKey is not null, name of the provider used to
|
|
166 |
* successfully verify the signature of this certificate, or the
|
|
167 |
* empty String if no provider was explicitly specified.
|
|
168 |
*/
|
|
169 |
private String verifiedProvider;
|
|
170 |
/**
|
|
171 |
* If verifiedPublicKey is not null, result of the verification using
|
|
172 |
* verifiedPublicKey and verifiedProvider. If true, verification was
|
|
173 |
* successful, if false, it failed.
|
|
174 |
*/
|
|
175 |
private boolean verificationResult;
|
|
176 |
|
|
177 |
/**
|
|
178 |
* Default constructor.
|
|
179 |
*/
|
|
180 |
public X509CertImpl() { }
|
|
181 |
|
|
182 |
/**
|
|
183 |
* Unmarshals a certificate from its encoded form, parsing the
|
|
184 |
* encoded bytes. This form of constructor is used by agents which
|
|
185 |
* need to examine and use certificate contents. That is, this is
|
|
186 |
* one of the more commonly used constructors. Note that the buffer
|
|
187 |
* must include only a certificate, and no "garbage" may be left at
|
|
188 |
* the end. If you need to ignore data at the end of a certificate,
|
|
189 |
* use another constructor.
|
|
190 |
*
|
|
191 |
* @param certData the encoded bytes, with no trailing padding.
|
|
192 |
* @exception CertificateException on parsing and initialization errors.
|
|
193 |
*/
|
|
194 |
public X509CertImpl(byte[] certData) throws CertificateException {
|
|
195 |
try {
|
|
196 |
parse(new DerValue(certData));
|
|
197 |
} catch (IOException e) {
|
|
198 |
signedCert = null;
|
|
199 |
CertificateException ce = new
|
|
200 |
CertificateException("Unable to initialize, " + e);
|
|
201 |
ce.initCause(e);
|
|
202 |
throw ce;
|
|
203 |
}
|
|
204 |
}
|
|
205 |
|
|
206 |
/**
|
|
207 |
* unmarshals an X.509 certificate from an input stream. If the
|
|
208 |
* certificate is RFC1421 hex-encoded, then it must begin with
|
|
209 |
* the line X509Factory.BEGIN_CERT and end with the line
|
|
210 |
* X509Factory.END_CERT.
|
|
211 |
*
|
|
212 |
* @param in an input stream holding at least one certificate that may
|
|
213 |
* be either DER-encoded or RFC1421 hex-encoded version of the
|
|
214 |
* DER-encoded certificate.
|
|
215 |
* @exception CertificateException on parsing and initialization errors.
|
|
216 |
*/
|
|
217 |
public X509CertImpl(InputStream in) throws CertificateException {
|
|
218 |
|
|
219 |
DerValue der = null;
|
|
220 |
|
|
221 |
BufferedInputStream inBuffered = new BufferedInputStream(in);
|
|
222 |
|
|
223 |
// First try reading stream as HEX-encoded DER-encoded bytes,
|
|
224 |
// since not mistakable for raw DER
|
|
225 |
try {
|
|
226 |
inBuffered.mark(Integer.MAX_VALUE);
|
|
227 |
der = readRFC1421Cert(inBuffered);
|
|
228 |
} catch (IOException ioe) {
|
|
229 |
try {
|
|
230 |
// Next, try reading stream as raw DER-encoded bytes
|
|
231 |
inBuffered.reset();
|
|
232 |
der = new DerValue(inBuffered);
|
|
233 |
} catch (IOException ioe1) {
|
|
234 |
CertificateException ce = new
|
|
235 |
CertificateException("Input stream must be " +
|
|
236 |
"either DER-encoded bytes " +
|
|
237 |
"or RFC1421 hex-encoded " +
|
|
238 |
"DER-encoded bytes: " +
|
|
239 |
ioe1.getMessage());
|
|
240 |
ce.initCause(ioe1);
|
|
241 |
throw ce;
|
|
242 |
}
|
|
243 |
}
|
|
244 |
try {
|
|
245 |
parse(der);
|
|
246 |
} catch (IOException ioe) {
|
|
247 |
signedCert = null;
|
|
248 |
CertificateException ce = new
|
|
249 |
CertificateException("Unable to parse DER value of " +
|
|
250 |
"certificate, " + ioe);
|
|
251 |
ce.initCause(ioe);
|
|
252 |
throw ce;
|
|
253 |
}
|
|
254 |
}
|
|
255 |
|
|
256 |
/**
|
|
257 |
* read input stream as HEX-encoded DER-encoded bytes
|
|
258 |
*
|
|
259 |
* @param in InputStream to read
|
|
260 |
* @returns DerValue corresponding to decoded HEX-encoded bytes
|
|
261 |
* @throws IOException if stream can not be interpreted as RFC1421
|
|
262 |
* encoded bytes
|
|
263 |
*/
|
|
264 |
private DerValue readRFC1421Cert(InputStream in) throws IOException {
|
|
265 |
DerValue der = null;
|
|
266 |
String line = null;
|
|
267 |
BufferedReader certBufferedReader =
|
|
268 |
new BufferedReader(new InputStreamReader(in, "ASCII"));
|
|
269 |
try {
|
|
270 |
line = certBufferedReader.readLine();
|
|
271 |
} catch (IOException ioe1) {
|
|
272 |
throw new IOException("Unable to read InputStream: " +
|
|
273 |
ioe1.getMessage());
|
|
274 |
}
|
|
275 |
if (line.equals(X509Factory.BEGIN_CERT)) {
|
|
276 |
/* stream appears to be hex-encoded bytes */
|
|
277 |
BASE64Decoder decoder = new BASE64Decoder();
|
|
278 |
ByteArrayOutputStream decstream = new ByteArrayOutputStream();
|
|
279 |
try {
|
|
280 |
while ((line = certBufferedReader.readLine()) != null) {
|
|
281 |
if (line.equals(X509Factory.END_CERT)) {
|
|
282 |
der = new DerValue(decstream.toByteArray());
|
|
283 |
break;
|
|
284 |
} else {
|
|
285 |
decstream.write(decoder.decodeBuffer(line));
|
|
286 |
}
|
|
287 |
}
|
|
288 |
} catch (IOException ioe2) {
|
|
289 |
throw new IOException("Unable to read InputStream: "
|
|
290 |
+ ioe2.getMessage());
|
|
291 |
}
|
|
292 |
} else {
|
|
293 |
throw new IOException("InputStream is not RFC1421 hex-encoded " +
|
|
294 |
"DER bytes");
|
|
295 |
}
|
|
296 |
return der;
|
|
297 |
}
|
|
298 |
|
|
299 |
/**
|
|
300 |
* Construct an initialized X509 Certificate. The certificate is stored
|
|
301 |
* in raw form and has to be signed to be useful.
|
|
302 |
*
|
|
303 |
* @params info the X509CertificateInfo which the Certificate is to be
|
|
304 |
* created from.
|
|
305 |
*/
|
|
306 |
public X509CertImpl(X509CertInfo certInfo) {
|
|
307 |
this.info = certInfo;
|
|
308 |
}
|
|
309 |
|
|
310 |
/**
|
|
311 |
* Unmarshal a certificate from its encoded form, parsing a DER value.
|
|
312 |
* This form of constructor is used by agents which need to examine
|
|
313 |
* and use certificate contents.
|
|
314 |
*
|
|
315 |
* @param derVal the der value containing the encoded cert.
|
|
316 |
* @exception CertificateException on parsing and initialization errors.
|
|
317 |
*/
|
|
318 |
public X509CertImpl(DerValue derVal) throws CertificateException {
|
|
319 |
try {
|
|
320 |
parse(derVal);
|
|
321 |
} catch (IOException e) {
|
|
322 |
signedCert = null;
|
|
323 |
CertificateException ce = new
|
|
324 |
CertificateException("Unable to initialize, " + e);
|
|
325 |
ce.initCause(e);
|
|
326 |
throw ce;
|
|
327 |
}
|
|
328 |
}
|
|
329 |
|
|
330 |
/**
|
|
331 |
* Appends the certificate to an output stream.
|
|
332 |
*
|
|
333 |
* @param out an input stream to which the certificate is appended.
|
|
334 |
* @exception CertificateEncodingException on encoding errors.
|
|
335 |
*/
|
|
336 |
public void encode(OutputStream out)
|
|
337 |
throws CertificateEncodingException {
|
|
338 |
if (signedCert == null)
|
|
339 |
throw new CertificateEncodingException(
|
|
340 |
"Null certificate to encode");
|
|
341 |
try {
|
|
342 |
out.write(signedCert.clone());
|
|
343 |
} catch (IOException e) {
|
|
344 |
throw new CertificateEncodingException(e.toString());
|
|
345 |
}
|
|
346 |
}
|
|
347 |
|
|
348 |
/**
|
|
349 |
* DER encode this object onto an output stream.
|
|
350 |
* Implements the <code>DerEncoder</code> interface.
|
|
351 |
*
|
|
352 |
* @param out the output stream on which to write the DER encoding.
|
|
353 |
*
|
|
354 |
* @exception IOException on encoding error.
|
|
355 |
*/
|
|
356 |
public void derEncode(OutputStream out) throws IOException {
|
|
357 |
if (signedCert == null)
|
|
358 |
throw new IOException("Null certificate to encode");
|
|
359 |
out.write(signedCert.clone());
|
|
360 |
}
|
|
361 |
|
|
362 |
/**
|
|
363 |
* Returns the encoded form of this certificate. It is
|
|
364 |
* assumed that each certificate type would have only a single
|
|
365 |
* form of encoding; for example, X.509 certificates would
|
|
366 |
* be encoded as ASN.1 DER.
|
|
367 |
*
|
|
368 |
* @exception CertificateEncodingException if an encoding error occurs.
|
|
369 |
*/
|
|
370 |
public byte[] getEncoded() throws CertificateEncodingException {
|
|
371 |
return getEncodedInternal().clone();
|
|
372 |
}
|
|
373 |
|
|
374 |
/**
|
|
375 |
* Returned the encoding as an uncloned byte array. Callers must
|
|
376 |
* guarantee that they neither modify it nor expose it to untrusted
|
|
377 |
* code.
|
|
378 |
*/
|
|
379 |
public byte[] getEncodedInternal() throws CertificateEncodingException {
|
|
380 |
if (signedCert == null) {
|
|
381 |
throw new CertificateEncodingException(
|
|
382 |
"Null certificate to encode");
|
|
383 |
}
|
|
384 |
return signedCert;
|
|
385 |
}
|
|
386 |
|
|
387 |
/**
|
|
388 |
* Throws an exception if the certificate was not signed using the
|
|
389 |
* verification key provided. Successfully verifying a certificate
|
|
390 |
* does <em>not</em> indicate that one should trust the entity which
|
|
391 |
* it represents.
|
|
392 |
*
|
|
393 |
* @param key the public key used for verification.
|
|
394 |
*
|
|
395 |
* @exception InvalidKeyException on incorrect key.
|
|
396 |
* @exception NoSuchAlgorithmException on unsupported signature
|
|
397 |
* algorithms.
|
|
398 |
* @exception NoSuchProviderException if there's no default provider.
|
|
399 |
* @exception SignatureException on signature errors.
|
|
400 |
* @exception CertificateException on encoding errors.
|
|
401 |
*/
|
|
402 |
public void verify(PublicKey key)
|
|
403 |
throws CertificateException, NoSuchAlgorithmException,
|
|
404 |
InvalidKeyException, NoSuchProviderException, SignatureException {
|
|
405 |
|
|
406 |
verify(key, "");
|
|
407 |
}
|
|
408 |
|
|
409 |
/**
|
|
410 |
* Throws an exception if the certificate was not signed using the
|
|
411 |
* verification key provided. Successfully verifying a certificate
|
|
412 |
* does <em>not</em> indicate that one should trust the entity which
|
|
413 |
* it represents.
|
|
414 |
*
|
|
415 |
* @param key the public key used for verification.
|
|
416 |
* @param sigProvider the name of the provider.
|
|
417 |
*
|
|
418 |
* @exception NoSuchAlgorithmException on unsupported signature
|
|
419 |
* algorithms.
|
|
420 |
* @exception InvalidKeyException on incorrect key.
|
|
421 |
* @exception NoSuchProviderException on incorrect provider.
|
|
422 |
* @exception SignatureException on signature errors.
|
|
423 |
* @exception CertificateException on encoding errors.
|
|
424 |
*/
|
|
425 |
public synchronized void verify(PublicKey key, String sigProvider)
|
|
426 |
throws CertificateException, NoSuchAlgorithmException,
|
|
427 |
InvalidKeyException, NoSuchProviderException, SignatureException {
|
|
428 |
if (sigProvider == null) {
|
|
429 |
sigProvider = "";
|
|
430 |
}
|
|
431 |
if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
|
|
432 |
// this certificate has already been verified using
|
|
433 |
// this public key. Make sure providers match, too.
|
|
434 |
if (sigProvider.equals(verifiedProvider)) {
|
|
435 |
if (verificationResult) {
|
|
436 |
return;
|
|
437 |
} else {
|
|
438 |
throw new SignatureException("Signature does not match.");
|
|
439 |
}
|
|
440 |
}
|
|
441 |
}
|
|
442 |
if (signedCert == null) {
|
|
443 |
throw new CertificateEncodingException("Uninitialized certificate");
|
|
444 |
}
|
|
445 |
// Verify the signature ...
|
|
446 |
Signature sigVerf = null;
|
|
447 |
if (sigProvider.length() == 0) {
|
|
448 |
sigVerf = Signature.getInstance(algId.getName());
|
|
449 |
} else {
|
|
450 |
sigVerf = Signature.getInstance(algId.getName(), sigProvider);
|
|
451 |
}
|
|
452 |
sigVerf.initVerify(key);
|
|
453 |
|
|
454 |
byte[] rawCert = info.getEncodedInfo();
|
|
455 |
sigVerf.update(rawCert, 0, rawCert.length);
|
|
456 |
|
|
457 |
// verify may throw SignatureException for invalid encodings, etc.
|
|
458 |
verificationResult = sigVerf.verify(signature);
|
|
459 |
verifiedPublicKey = key;
|
|
460 |
verifiedProvider = sigProvider;
|
|
461 |
|
|
462 |
if (verificationResult == false) {
|
|
463 |
throw new SignatureException("Signature does not match.");
|
|
464 |
}
|
|
465 |
}
|
|
466 |
|
|
467 |
/**
|
|
468 |
* Creates an X.509 certificate, and signs it using the given key
|
|
469 |
* (associating a signature algorithm and an X.500 name).
|
|
470 |
* This operation is used to implement the certificate generation
|
|
471 |
* functionality of a certificate authority.
|
|
472 |
*
|
|
473 |
* @param key the private key used for signing.
|
|
474 |
* @param algorithm the name of the signature algorithm used.
|
|
475 |
*
|
|
476 |
* @exception InvalidKeyException on incorrect key.
|
|
477 |
* @exception NoSuchAlgorithmException on unsupported signature
|
|
478 |
* algorithms.
|
|
479 |
* @exception NoSuchProviderException if there's no default provider.
|
|
480 |
* @exception SignatureException on signature errors.
|
|
481 |
* @exception CertificateException on encoding errors.
|
|
482 |
*/
|
|
483 |
public void sign(PrivateKey key, String algorithm)
|
|
484 |
throws CertificateException, NoSuchAlgorithmException,
|
|
485 |
InvalidKeyException, NoSuchProviderException, SignatureException {
|
|
486 |
sign(key, algorithm, null);
|
|
487 |
}
|
|
488 |
|
|
489 |
/**
|
|
490 |
* Creates an X.509 certificate, and signs it using the given key
|
|
491 |
* (associating a signature algorithm and an X.500 name).
|
|
492 |
* This operation is used to implement the certificate generation
|
|
493 |
* functionality of a certificate authority.
|
|
494 |
*
|
|
495 |
* @param key the private key used for signing.
|
|
496 |
* @param algorithm the name of the signature algorithm used.
|
|
497 |
* @param provider the name of the provider.
|
|
498 |
*
|
|
499 |
* @exception NoSuchAlgorithmException on unsupported signature
|
|
500 |
* algorithms.
|
|
501 |
* @exception InvalidKeyException on incorrect key.
|
|
502 |
* @exception NoSuchProviderException on incorrect provider.
|
|
503 |
* @exception SignatureException on signature errors.
|
|
504 |
* @exception CertificateException on encoding errors.
|
|
505 |
*/
|
|
506 |
public void sign(PrivateKey key, String algorithm, String provider)
|
|
507 |
throws CertificateException, NoSuchAlgorithmException,
|
|
508 |
InvalidKeyException, NoSuchProviderException, SignatureException {
|
|
509 |
try {
|
|
510 |
if (readOnly)
|
|
511 |
throw new CertificateEncodingException(
|
|
512 |
"cannot over-write existing certificate");
|
|
513 |
Signature sigEngine = null;
|
|
514 |
if ((provider == null) || (provider.length() == 0))
|
|
515 |
sigEngine = Signature.getInstance(algorithm);
|
|
516 |
else
|
|
517 |
sigEngine = Signature.getInstance(algorithm, provider);
|
|
518 |
|
|
519 |
sigEngine.initSign(key);
|
|
520 |
|
|
521 |
// in case the name is reset
|
|
522 |
algId = AlgorithmId.get(sigEngine.getAlgorithm());
|
|
523 |
|
|
524 |
DerOutputStream out = new DerOutputStream();
|
|
525 |
DerOutputStream tmp = new DerOutputStream();
|
|
526 |
|
|
527 |
// encode certificate info
|
|
528 |
info.encode(tmp);
|
|
529 |
byte[] rawCert = tmp.toByteArray();
|
|
530 |
|
|
531 |
// encode algorithm identifier
|
|
532 |
algId.encode(tmp);
|
|
533 |
|
|
534 |
// Create and encode the signature itself.
|
|
535 |
sigEngine.update(rawCert, 0, rawCert.length);
|
|
536 |
signature = sigEngine.sign();
|
|
537 |
tmp.putBitString(signature);
|
|
538 |
|
|
539 |
// Wrap the signed data in a SEQUENCE { data, algorithm, sig }
|
|
540 |
out.write(DerValue.tag_Sequence, tmp);
|
|
541 |
signedCert = out.toByteArray();
|
|
542 |
readOnly = true;
|
|
543 |
|
|
544 |
} catch (IOException e) {
|
|
545 |
throw new CertificateEncodingException(e.toString());
|
|
546 |
}
|
|
547 |
}
|
|
548 |
|
|
549 |
/**
|
|
550 |
* Checks that the certificate is currently valid, i.e. the current
|
|
551 |
* time is within the specified validity period.
|
|
552 |
*
|
|
553 |
* @exception CertificateExpiredException if the certificate has expired.
|
|
554 |
* @exception CertificateNotYetValidException if the certificate is not
|
|
555 |
* yet valid.
|
|
556 |
*/
|
|
557 |
public void checkValidity()
|
|
558 |
throws CertificateExpiredException, CertificateNotYetValidException {
|
|
559 |
Date date = new Date();
|
|
560 |
checkValidity(date);
|
|
561 |
}
|
|
562 |
|
|
563 |
/**
|
|
564 |
* Checks that the specified date is within the certificate's
|
|
565 |
* validity period, or basically if the certificate would be
|
|
566 |
* valid at the specified date/time.
|
|
567 |
*
|
|
568 |
* @param date the Date to check against to see if this certificate
|
|
569 |
* is valid at that date/time.
|
|
570 |
*
|
|
571 |
* @exception CertificateExpiredException if the certificate has expired
|
|
572 |
* with respect to the <code>date</code> supplied.
|
|
573 |
* @exception CertificateNotYetValidException if the certificate is not
|
|
574 |
* yet valid with respect to the <code>date</code> supplied.
|
|
575 |
*/
|
|
576 |
public void checkValidity(Date date)
|
|
577 |
throws CertificateExpiredException, CertificateNotYetValidException {
|
|
578 |
|
|
579 |
CertificateValidity interval = null;
|
|
580 |
try {
|
|
581 |
interval = (CertificateValidity)info.get(CertificateValidity.NAME);
|
|
582 |
} catch (Exception e) {
|
|
583 |
throw new CertificateNotYetValidException("Incorrect validity period");
|
|
584 |
}
|
|
585 |
if (interval == null)
|
|
586 |
throw new CertificateNotYetValidException("Null validity period");
|
|
587 |
interval.valid(date);
|
|
588 |
}
|
|
589 |
|
|
590 |
/**
|
|
591 |
* Return the requested attribute from the certificate.
|
|
592 |
*
|
|
593 |
* Note that the X509CertInfo is not cloned for performance reasons.
|
|
594 |
* Callers must ensure that they do not modify it. All other
|
|
595 |
* attributes are cloned.
|
|
596 |
*
|
|
597 |
* @param name the name of the attribute.
|
|
598 |
* @exception CertificateParsingException on invalid attribute identifier.
|
|
599 |
*/
|
|
600 |
public Object get(String name)
|
|
601 |
throws CertificateParsingException {
|
|
602 |
X509AttributeName attr = new X509AttributeName(name);
|
|
603 |
String id = attr.getPrefix();
|
|
604 |
if (!(id.equalsIgnoreCase(NAME))) {
|
|
605 |
throw new CertificateParsingException("Invalid root of "
|
|
606 |
+ "attribute name, expected [" + NAME +
|
|
607 |
"], received " + "[" + id + "]");
|
|
608 |
}
|
|
609 |
attr = new X509AttributeName(attr.getSuffix());
|
|
610 |
id = attr.getPrefix();
|
|
611 |
|
|
612 |
if (id.equalsIgnoreCase(INFO)) {
|
|
613 |
if (info == null) {
|
|
614 |
return null;
|
|
615 |
}
|
|
616 |
if (attr.getSuffix() != null) {
|
|
617 |
try {
|
|
618 |
return info.get(attr.getSuffix());
|
|
619 |
} catch (IOException e) {
|
|
620 |
throw new CertificateParsingException(e.toString());
|
|
621 |
} catch (CertificateException e) {
|
|
622 |
throw new CertificateParsingException(e.toString());
|
|
623 |
}
|
|
624 |
} else {
|
|
625 |
return info;
|
|
626 |
}
|
|
627 |
} else if (id.equalsIgnoreCase(ALG_ID)) {
|
|
628 |
return(algId);
|
|
629 |
} else if (id.equalsIgnoreCase(SIGNATURE)) {
|
|
630 |
if (signature != null)
|
|
631 |
return signature.clone();
|
|
632 |
else
|
|
633 |
return null;
|
|
634 |
} else if (id.equalsIgnoreCase(SIGNED_CERT)) {
|
|
635 |
if (signedCert != null)
|
|
636 |
return signedCert.clone();
|
|
637 |
else
|
|
638 |
return null;
|
|
639 |
} else {
|
|
640 |
throw new CertificateParsingException("Attribute name not "
|
|
641 |
+ "recognized or get() not allowed for the same: " + id);
|
|
642 |
}
|
|
643 |
}
|
|
644 |
|
|
645 |
/**
|
|
646 |
* Set the requested attribute in the certificate.
|
|
647 |
*
|
|
648 |
* @param name the name of the attribute.
|
|
649 |
* @param obj the value of the attribute.
|
|
650 |
* @exception CertificateException on invalid attribute identifier.
|
|
651 |
* @exception IOException on encoding error of attribute.
|
|
652 |
*/
|
|
653 |
public void set(String name, Object obj)
|
|
654 |
throws CertificateException, IOException {
|
|
655 |
// check if immutable
|
|
656 |
if (readOnly)
|
|
657 |
throw new CertificateException("cannot over-write existing"
|
|
658 |
+ " certificate");
|
|
659 |
|
|
660 |
X509AttributeName attr = new X509AttributeName(name);
|
|
661 |
String id = attr.getPrefix();
|
|
662 |
if (!(id.equalsIgnoreCase(NAME))) {
|
|
663 |
throw new CertificateException("Invalid root of attribute name,"
|
|
664 |
+ " expected [" + NAME + "], received " + id);
|
|
665 |
}
|
|
666 |
attr = new X509AttributeName(attr.getSuffix());
|
|
667 |
id = attr.getPrefix();
|
|
668 |
|
|
669 |
if (id.equalsIgnoreCase(INFO)) {
|
|
670 |
if (attr.getSuffix() == null) {
|
|
671 |
if (!(obj instanceof X509CertInfo)) {
|
|
672 |
throw new CertificateException("Attribute value should"
|
|
673 |
+ " be of type X509CertInfo.");
|
|
674 |
}
|
|
675 |
info = (X509CertInfo)obj;
|
|
676 |
signedCert = null; //reset this as certificate data has changed
|
|
677 |
} else {
|
|
678 |
info.set(attr.getSuffix(), obj);
|
|
679 |
signedCert = null; //reset this as certificate data has changed
|
|
680 |
}
|
|
681 |
} else {
|
|
682 |
throw new CertificateException("Attribute name not recognized or " +
|
|
683 |
"set() not allowed for the same: " + id);
|
|
684 |
}
|
|
685 |
}
|
|
686 |
|
|
687 |
/**
|
|
688 |
* Delete the requested attribute from the certificate.
|
|
689 |
*
|
|
690 |
* @param name the name of the attribute.
|
|
691 |
* @exception CertificateException on invalid attribute identifier.
|
|
692 |
* @exception IOException on other errors.
|
|
693 |
*/
|
|
694 |
public void delete(String name)
|
|
695 |
throws CertificateException, IOException {
|
|
696 |
// check if immutable
|
|
697 |
if (readOnly)
|
|
698 |
throw new CertificateException("cannot over-write existing"
|
|
699 |
+ " certificate");
|
|
700 |
|
|
701 |
X509AttributeName attr = new X509AttributeName(name);
|
|
702 |
String id = attr.getPrefix();
|
|
703 |
if (!(id.equalsIgnoreCase(NAME))) {
|
|
704 |
throw new CertificateException("Invalid root of attribute name,"
|
|
705 |
+ " expected ["
|
|
706 |
+ NAME + "], received " + id);
|
|
707 |
}
|
|
708 |
attr = new X509AttributeName(attr.getSuffix());
|
|
709 |
id = attr.getPrefix();
|
|
710 |
|
|
711 |
if (id.equalsIgnoreCase(INFO)) {
|
|
712 |
if (attr.getSuffix() != null) {
|
|
713 |
info = null;
|
|
714 |
} else {
|
|
715 |
info.delete(attr.getSuffix());
|
|
716 |
}
|
|
717 |
} else if (id.equalsIgnoreCase(ALG_ID)) {
|
|
718 |
algId = null;
|
|
719 |
} else if (id.equalsIgnoreCase(SIGNATURE)) {
|
|
720 |
signature = null;
|
|
721 |
} else if (id.equalsIgnoreCase(SIGNED_CERT)) {
|
|
722 |
signedCert = null;
|
|
723 |
} else {
|
|
724 |
throw new CertificateException("Attribute name not recognized or " +
|
|
725 |
"delete() not allowed for the same: " + id);
|
|
726 |
}
|
|
727 |
}
|
|
728 |
|
|
729 |
/**
|
|
730 |
* Return an enumeration of names of attributes existing within this
|
|
731 |
* attribute.
|
|
732 |
*/
|
|
733 |
public Enumeration<String> getElements() {
|
|
734 |
AttributeNameEnumeration elements = new AttributeNameEnumeration();
|
|
735 |
elements.addElement(NAME + DOT + INFO);
|
|
736 |
elements.addElement(NAME + DOT + ALG_ID);
|
|
737 |
elements.addElement(NAME + DOT + SIGNATURE);
|
|
738 |
elements.addElement(NAME + DOT + SIGNED_CERT);
|
|
739 |
|
|
740 |
return elements.elements();
|
|
741 |
}
|
|
742 |
|
|
743 |
/**
|
|
744 |
* Return the name of this attribute.
|
|
745 |
*/
|
|
746 |
public String getName() {
|
|
747 |
return(NAME);
|
|
748 |
}
|
|
749 |
|
|
750 |
/**
|
|
751 |
* Returns a printable representation of the certificate. This does not
|
|
752 |
* contain all the information available to distinguish this from any
|
|
753 |
* other certificate. The certificate must be fully constructed
|
|
754 |
* before this function may be called.
|
|
755 |
*/
|
|
756 |
public String toString() {
|
|
757 |
if (info == null || algId == null || signature == null)
|
|
758 |
return "";
|
|
759 |
|
|
760 |
StringBuilder sb = new StringBuilder();
|
|
761 |
|
|
762 |
sb.append("[\n");
|
|
763 |
sb.append(info.toString() + "\n");
|
|
764 |
sb.append(" Algorithm: [" + algId.toString() + "]\n");
|
|
765 |
|
|
766 |
HexDumpEncoder encoder = new HexDumpEncoder();
|
|
767 |
sb.append(" Signature:\n" + encoder.encodeBuffer(signature));
|
|
768 |
sb.append("\n]");
|
|
769 |
|
|
770 |
return sb.toString();
|
|
771 |
}
|
|
772 |
|
|
773 |
// the strongly typed gets, as per java.security.cert.X509Certificate
|
|
774 |
|
|
775 |
/**
|
|
776 |
* Gets the publickey from this certificate.
|
|
777 |
*
|
|
778 |
* @return the publickey.
|
|
779 |
*/
|
|
780 |
public PublicKey getPublicKey() {
|
|
781 |
if (info == null)
|
|
782 |
return null;
|
|
783 |
try {
|
|
784 |
PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
|
|
785 |
+ DOT + CertificateX509Key.KEY);
|
|
786 |
return key;
|
|
787 |
} catch (Exception e) {
|
|
788 |
return null;
|
|
789 |
}
|
|
790 |
}
|
|
791 |
|
|
792 |
/**
|
|
793 |
* Gets the version number from the certificate.
|
|
794 |
*
|
|
795 |
* @return the version number, i.e. 1, 2 or 3.
|
|
796 |
*/
|
|
797 |
public int getVersion() {
|
|
798 |
if (info == null)
|
|
799 |
return -1;
|
|
800 |
try {
|
|
801 |
int vers = ((Integer)info.get(CertificateVersion.NAME
|
|
802 |
+ DOT + CertificateVersion.VERSION)).intValue();
|
|
803 |
return vers+1;
|
|
804 |
} catch (Exception e) {
|
|
805 |
return -1;
|
|
806 |
}
|
|
807 |
}
|
|
808 |
|
|
809 |
/**
|
|
810 |
* Gets the serial number from the certificate.
|
|
811 |
*
|
|
812 |
* @return the serial number.
|
|
813 |
*/
|
|
814 |
public BigInteger getSerialNumber() {
|
|
815 |
SerialNumber ser = getSerialNumberObject();
|
|
816 |
|
|
817 |
return ser != null ? ser.getNumber() : null;
|
|
818 |
}
|
|
819 |
|
|
820 |
/**
|
|
821 |
* Gets the serial number from the certificate as
|
|
822 |
* a SerialNumber object.
|
|
823 |
*
|
|
824 |
* @return the serial number.
|
|
825 |
*/
|
|
826 |
public SerialNumber getSerialNumberObject() {
|
|
827 |
if (info == null)
|
|
828 |
return null;
|
|
829 |
try {
|
|
830 |
SerialNumber ser = (SerialNumber)info.get(
|
|
831 |
CertificateSerialNumber.NAME + DOT +
|
|
832 |
CertificateSerialNumber.NUMBER);
|
|
833 |
return ser;
|
|
834 |
} catch (Exception e) {
|
|
835 |
return null;
|
|
836 |
}
|
|
837 |
}
|
|
838 |
|
|
839 |
|
|
840 |
/**
|
|
841 |
* Gets the subject distinguished name from the certificate.
|
|
842 |
*
|
|
843 |
* @return the subject name.
|
|
844 |
*/
|
|
845 |
public Principal getSubjectDN() {
|
|
846 |
if (info == null)
|
|
847 |
return null;
|
|
848 |
try {
|
|
849 |
Principal subject = (Principal)info.get(
|
|
850 |
CertificateSubjectName.NAME + DOT +
|
|
851 |
CertificateSubjectName.DN_NAME);
|
|
852 |
return subject;
|
|
853 |
} catch (Exception e) {
|
|
854 |
return null;
|
|
855 |
}
|
|
856 |
}
|
|
857 |
|
|
858 |
/**
|
|
859 |
* Get subject name as X500Principal. Overrides implementation in
|
|
860 |
* X509Certificate with a slightly more efficient version that is
|
|
861 |
* also aware of X509CertImpl mutability.
|
|
862 |
*/
|
|
863 |
public X500Principal getSubjectX500Principal() {
|
|
864 |
if (info == null) {
|
|
865 |
return null;
|
|
866 |
}
|
|
867 |
try {
|
|
868 |
X500Principal subject = (X500Principal)info.get(
|
|
869 |
CertificateSubjectName.NAME + DOT +
|
|
870 |
CertificateSubjectName.DN_PRINCIPAL);
|
|
871 |
return subject;
|
|
872 |
} catch (Exception e) {
|
|
873 |
return null;
|
|
874 |
}
|
|
875 |
}
|
|
876 |
|
|
877 |
/**
|
|
878 |
* Gets the issuer distinguished name from the certificate.
|
|
879 |
*
|
|
880 |
* @return the issuer name.
|
|
881 |
*/
|
|
882 |
public Principal getIssuerDN() {
|
|
883 |
if (info == null)
|
|
884 |
return null;
|
|
885 |
try {
|
|
886 |
Principal issuer = (Principal)info.get(
|
|
887 |
CertificateIssuerName.NAME + DOT +
|
|
888 |
CertificateIssuerName.DN_NAME);
|
|
889 |
return issuer;
|
|
890 |
} catch (Exception e) {
|
|
891 |
return null;
|
|
892 |
}
|
|
893 |
}
|
|
894 |
|
|
895 |
/**
|
|
896 |
* Get issuer name as X500Principal. Overrides implementation in
|
|
897 |
* X509Certificate with a slightly more efficient version that is
|
|
898 |
* also aware of X509CertImpl mutability.
|
|
899 |
*/
|
|
900 |
public X500Principal getIssuerX500Principal() {
|
|
901 |
if (info == null) {
|
|
902 |
return null;
|
|
903 |
}
|
|
904 |
try {
|
|
905 |
X500Principal issuer = (X500Principal)info.get(
|
|
906 |
CertificateIssuerName.NAME + DOT +
|
|
907 |
CertificateIssuerName.DN_PRINCIPAL);
|
|
908 |
return issuer;
|
|
909 |
} catch (Exception e) {
|
|
910 |
return null;
|
|
911 |
}
|
|
912 |
}
|
|
913 |
|
|
914 |
/**
|
|
915 |
* Gets the notBefore date from the validity period of the certificate.
|
|
916 |
*
|
|
917 |
* @return the start date of the validity period.
|
|
918 |
*/
|
|
919 |
public Date getNotBefore() {
|
|
920 |
if (info == null)
|
|
921 |
return null;
|
|
922 |
try {
|
|
923 |
Date d = (Date) info.get(CertificateValidity.NAME + DOT +
|
|
924 |
CertificateValidity.NOT_BEFORE);
|
|
925 |
return d;
|
|
926 |
} catch (Exception e) {
|
|
927 |
return null;
|
|
928 |
}
|
|
929 |
}
|
|
930 |
|
|
931 |
/**
|
|
932 |
* Gets the notAfter date from the validity period of the certificate.
|
|
933 |
*
|
|
934 |
* @return the end date of the validity period.
|
|
935 |
*/
|
|
936 |
public Date getNotAfter() {
|
|
937 |
if (info == null)
|
|
938 |
return null;
|
|
939 |
try {
|
|
940 |
Date d = (Date) info.get(CertificateValidity.NAME + DOT +
|
|
941 |
CertificateValidity.NOT_AFTER);
|
|
942 |
return d;
|
|
943 |
} catch (Exception e) {
|
|
944 |
return null;
|
|
945 |
}
|
|
946 |
}
|
|
947 |
|
|
948 |
/**
|
|
949 |
* Gets the DER encoded certificate informations, the
|
|
950 |
* <code>tbsCertificate</code> from this certificate.
|
|
951 |
* This can be used to verify the signature independently.
|
|
952 |
*
|
|
953 |
* @return the DER encoded certificate information.
|
|
954 |
* @exception CertificateEncodingException if an encoding error occurs.
|
|
955 |
*/
|
|
956 |
public byte[] getTBSCertificate() throws CertificateEncodingException {
|
|
957 |
if (info != null) {
|
|
958 |
return info.getEncodedInfo();
|
|
959 |
} else
|
|
960 |
throw new CertificateEncodingException("Uninitialized certificate");
|
|
961 |
}
|
|
962 |
|
|
963 |
/**
|
|
964 |
* Gets the raw Signature bits from the certificate.
|
|
965 |
*
|
|
966 |
* @return the signature.
|
|
967 |
*/
|
|
968 |
public byte[] getSignature() {
|
|
969 |
if (signature == null)
|
|
970 |
return null;
|
|
971 |
byte[] dup = new byte[signature.length];
|
|
972 |
System.arraycopy(signature, 0, dup, 0, dup.length);
|
|
973 |
return dup;
|
|
974 |
}
|
|
975 |
|
|
976 |
/**
|
|
977 |
* Gets the signature algorithm name for the certificate
|
|
978 |
* signature algorithm.
|
|
979 |
* For example, the string "SHA-1/DSA" or "DSS".
|
|
980 |
*
|
|
981 |
* @return the signature algorithm name.
|
|
982 |
*/
|
|
983 |
public String getSigAlgName() {
|
|
984 |
if (algId == null)
|
|
985 |
return null;
|
|
986 |
return (algId.getName());
|
|
987 |
}
|
|
988 |
|
|
989 |
/**
|
|
990 |
* Gets the signature algorithm OID string from the certificate.
|
|
991 |
* For example, the string "1.2.840.10040.4.3"
|
|
992 |
*
|
|
993 |
* @return the signature algorithm oid string.
|
|
994 |
*/
|
|
995 |
public String getSigAlgOID() {
|
|
996 |
if (algId == null)
|
|
997 |
return null;
|
|
998 |
ObjectIdentifier oid = algId.getOID();
|
|
999 |
return (oid.toString());
|
|
1000 |
}
|
|
1001 |
|
|
1002 |
/**
|
|
1003 |
* Gets the DER encoded signature algorithm parameters from this
|
|
1004 |
* certificate's signature algorithm.
|
|
1005 |
*
|
|
1006 |
* @return the DER encoded signature algorithm parameters, or
|
|
1007 |
* null if no parameters are present.
|
|
1008 |
*/
|
|
1009 |
public byte[] getSigAlgParams() {
|
|
1010 |
if (algId == null)
|
|
1011 |
return null;
|
|
1012 |
try {
|
|
1013 |
return algId.getEncodedParams();
|
|
1014 |
} catch (IOException e) {
|
|
1015 |
return null;
|
|
1016 |
}
|
|
1017 |
}
|
|
1018 |
|
|
1019 |
/**
|
|
1020 |
* Gets the Issuer Unique Identity from the certificate.
|
|
1021 |
*
|
|
1022 |
* @return the Issuer Unique Identity.
|
|
1023 |
*/
|
|
1024 |
public boolean[] getIssuerUniqueID() {
|
|
1025 |
if (info == null)
|
|
1026 |
return null;
|
|
1027 |
try {
|
|
1028 |
UniqueIdentity id = (UniqueIdentity)info.get(
|
|
1029 |
CertificateIssuerUniqueIdentity.NAME
|
|
1030 |
+ DOT + CertificateIssuerUniqueIdentity.ID);
|
|
1031 |
if (id == null)
|
|
1032 |
return null;
|
|
1033 |
else
|
|
1034 |
return (id.getId());
|
|
1035 |
} catch (Exception e) {
|
|
1036 |
return null;
|
|
1037 |
}
|
|
1038 |
}
|
|
1039 |
|
|
1040 |
/**
|
|
1041 |
* Gets the Subject Unique Identity from the certificate.
|
|
1042 |
*
|
|
1043 |
* @return the Subject Unique Identity.
|
|
1044 |
*/
|
|
1045 |
public boolean[] getSubjectUniqueID() {
|
|
1046 |
if (info == null)
|
|
1047 |
return null;
|
|
1048 |
try {
|
|
1049 |
UniqueIdentity id = (UniqueIdentity)info.get(
|
|
1050 |
CertificateSubjectUniqueIdentity.NAME
|
|
1051 |
+ DOT + CertificateSubjectUniqueIdentity.ID);
|
|
1052 |
if (id == null)
|
|
1053 |
return null;
|
|
1054 |
else
|
|
1055 |
return (id.getId());
|
|
1056 |
} catch (Exception e) {
|
|
1057 |
return null;
|
|
1058 |
}
|
|
1059 |
}
|
|
1060 |
|
|
1061 |
/**
|
|
1062 |
* Get AuthorityKeyIdentifier extension
|
|
1063 |
* @return AuthorityKeyIdentifier object or null (if no such object
|
|
1064 |
* in certificate)
|
|
1065 |
*/
|
|
1066 |
public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
|
|
1067 |
{
|
|
1068 |
return (AuthorityKeyIdentifierExtension)
|
|
1069 |
getExtension(PKIXExtensions.AuthorityKey_Id);
|
|
1070 |
}
|
|
1071 |
|
|
1072 |
/**
|
|
1073 |
* Get BasicConstraints extension
|
|
1074 |
* @return BasicConstraints object or null (if no such object in
|
|
1075 |
* certificate)
|
|
1076 |
*/
|
|
1077 |
public BasicConstraintsExtension getBasicConstraintsExtension() {
|
|
1078 |
return (BasicConstraintsExtension)
|
|
1079 |
getExtension(PKIXExtensions.BasicConstraints_Id);
|
|
1080 |
}
|
|
1081 |
|
|
1082 |
/**
|
|
1083 |
* Get CertificatePoliciesExtension
|
|
1084 |
* @return CertificatePoliciesExtension or null (if no such object in
|
|
1085 |
* certificate)
|
|
1086 |
*/
|
|
1087 |
public CertificatePoliciesExtension getCertificatePoliciesExtension() {
|
|
1088 |
return (CertificatePoliciesExtension)
|
|
1089 |
getExtension(PKIXExtensions.CertificatePolicies_Id);
|
|
1090 |
}
|
|
1091 |
|
|
1092 |
/**
|
|
1093 |
* Get ExtendedKeyUsage extension
|
|
1094 |
* @return ExtendedKeyUsage extension object or null (if no such object
|
|
1095 |
* in certificate)
|
|
1096 |
*/
|
|
1097 |
public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
|
|
1098 |
return (ExtendedKeyUsageExtension)
|
|
1099 |
getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
|
|
1100 |
}
|
|
1101 |
|
|
1102 |
/**
|
|
1103 |
* Get IssuerAlternativeName extension
|
|
1104 |
* @return IssuerAlternativeName object or null (if no such object in
|
|
1105 |
* certificate)
|
|
1106 |
*/
|
|
1107 |
public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
|
|
1108 |
return (IssuerAlternativeNameExtension)
|
|
1109 |
getExtension(PKIXExtensions.IssuerAlternativeName_Id);
|
|
1110 |
}
|
|
1111 |
|
|
1112 |
/**
|
|
1113 |
* Get NameConstraints extension
|
|
1114 |
* @return NameConstraints object or null (if no such object in certificate)
|
|
1115 |
*/
|
|
1116 |
public NameConstraintsExtension getNameConstraintsExtension() {
|
|
1117 |
return (NameConstraintsExtension)
|
|
1118 |
getExtension(PKIXExtensions.NameConstraints_Id);
|
|
1119 |
}
|
|
1120 |
|
|
1121 |
/**
|
|
1122 |
* Get PolicyConstraints extension
|
|
1123 |
* @return PolicyConstraints object or null (if no such object in
|
|
1124 |
* certificate)
|
|
1125 |
*/
|
|
1126 |
public PolicyConstraintsExtension getPolicyConstraintsExtension() {
|
|
1127 |
return (PolicyConstraintsExtension)
|
|
1128 |
getExtension(PKIXExtensions.PolicyConstraints_Id);
|
|
1129 |
}
|
|
1130 |
|
|
1131 |
/**
|
|
1132 |
* Get PolicyMappingsExtension extension
|
|
1133 |
* @return PolicyMappingsExtension object or null (if no such object
|
|
1134 |
* in certificate)
|
|
1135 |
*/
|
|
1136 |
public PolicyMappingsExtension getPolicyMappingsExtension() {
|
|
1137 |
return (PolicyMappingsExtension)
|
|
1138 |
getExtension(PKIXExtensions.PolicyMappings_Id);
|
|
1139 |
}
|
|
1140 |
|
|
1141 |
/**
|
|
1142 |
* Get PrivateKeyUsage extension
|
|
1143 |
* @return PrivateKeyUsage object or null (if no such object in certificate)
|
|
1144 |
*/
|
|
1145 |
public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
|
|
1146 |
return (PrivateKeyUsageExtension)
|
|
1147 |
getExtension(PKIXExtensions.PrivateKeyUsage_Id);
|
|
1148 |
}
|
|
1149 |
|
|
1150 |
/**
|
|
1151 |
* Get SubjectAlternativeName extension
|
|
1152 |
* @return SubjectAlternativeName object or null (if no such object in
|
|
1153 |
* certificate)
|
|
1154 |
*/
|
|
1155 |
public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
|
|
1156 |
{
|
|
1157 |
return (SubjectAlternativeNameExtension)
|
|
1158 |
getExtension(PKIXExtensions.SubjectAlternativeName_Id);
|
|
1159 |
}
|
|
1160 |
|
|
1161 |
/**
|
|
1162 |
* Get SubjectKeyIdentifier extension
|
|
1163 |
* @return SubjectKeyIdentifier object or null (if no such object in
|
|
1164 |
* certificate)
|
|
1165 |
*/
|
|
1166 |
public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
|
|
1167 |
return (SubjectKeyIdentifierExtension)
|
|
1168 |
getExtension(PKIXExtensions.SubjectKey_Id);
|
|
1169 |
}
|
|
1170 |
|
|
1171 |
/**
|
|
1172 |
* Get CRLDistributionPoints extension
|
|
1173 |
* @return CRLDistributionPoints object or null (if no such object in
|
|
1174 |
* certificate)
|
|
1175 |
*/
|
|
1176 |
public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
|
|
1177 |
return (CRLDistributionPointsExtension)
|
|
1178 |
getExtension(PKIXExtensions.CRLDistributionPoints_Id);
|
|
1179 |
}
|
|
1180 |
|
|
1181 |
/**
|
|
1182 |
* Return true if a critical extension is found that is
|
|
1183 |
* not supported, otherwise return false.
|
|
1184 |
*/
|
|
1185 |
public boolean hasUnsupportedCriticalExtension() {
|
|
1186 |
if (info == null)
|
|
1187 |
return false;
|
|
1188 |
try {
|
|
1189 |
CertificateExtensions exts = (CertificateExtensions)info.get(
|
|
1190 |
CertificateExtensions.NAME);
|
|
1191 |
if (exts == null)
|
|
1192 |
return false;
|
|
1193 |
return exts.hasUnsupportedCriticalExtension();
|
|
1194 |
} catch (Exception e) {
|
|
1195 |
return false;
|
|
1196 |
}
|
|
1197 |
}
|
|
1198 |
|
|
1199 |
/**
|
|
1200 |
* Gets a Set of the extension(s) marked CRITICAL in the
|
|
1201 |
* certificate. In the returned set, each extension is
|
|
1202 |
* represented by its OID string.
|
|
1203 |
*
|
|
1204 |
* @return a set of the extension oid strings in the
|
|
1205 |
* certificate that are marked critical.
|
|
1206 |
*/
|
|
1207 |
public Set<String> getCriticalExtensionOIDs() {
|
|
1208 |
if (info == null) {
|
|
1209 |
return null;
|
|
1210 |
}
|
|
1211 |
try {
|
|
1212 |
CertificateExtensions exts = (CertificateExtensions)info.get(
|
|
1213 |
CertificateExtensions.NAME);
|
|
1214 |
if (exts == null) {
|
|
1215 |
return null;
|
|
1216 |
}
|
|
1217 |
Set<String> extSet = new HashSet<String>();
|
|
1218 |
for (Extension ex : exts.getAllExtensions()) {
|
|
1219 |
if (ex.isCritical()) {
|
|
1220 |
extSet.add(ex.getExtensionId().toString());
|
|
1221 |
}
|
|
1222 |
}
|
|
1223 |
return extSet;
|
|
1224 |
} catch (Exception e) {
|
|
1225 |
return null;
|
|
1226 |
}
|
|
1227 |
}
|
|
1228 |
|
|
1229 |
/**
|
|
1230 |
* Gets a Set of the extension(s) marked NON-CRITICAL in the
|
|
1231 |
* certificate. In the returned set, each extension is
|
|
1232 |
* represented by its OID string.
|
|
1233 |
*
|
|
1234 |
* @return a set of the extension oid strings in the
|
|
1235 |
* certificate that are NOT marked critical.
|
|
1236 |
*/
|
|
1237 |
public Set<String> getNonCriticalExtensionOIDs() {
|
|
1238 |
if (info == null) {
|
|
1239 |
return null;
|
|
1240 |
}
|
|
1241 |
try {
|
|
1242 |
CertificateExtensions exts = (CertificateExtensions)info.get(
|
|
1243 |
CertificateExtensions.NAME);
|
|
1244 |
if (exts == null) {
|
|
1245 |
return null;
|
|
1246 |
}
|
|
1247 |
Set<String> extSet = new HashSet<String>();
|
|
1248 |
for (Extension ex : exts.getAllExtensions()) {
|
|
1249 |
if (!ex.isCritical()) {
|
|
1250 |
extSet.add(ex.getExtensionId().toString());
|
|
1251 |
}
|
|
1252 |
}
|
|
1253 |
extSet.addAll(exts.getUnparseableExtensions().keySet());
|
|
1254 |
return extSet;
|
|
1255 |
} catch (Exception e) {
|
|
1256 |
return null;
|
|
1257 |
}
|
|
1258 |
}
|
|
1259 |
|
|
1260 |
/**
|
|
1261 |
* Gets the extension identified by the given ObjectIdentifier
|
|
1262 |
*
|
|
1263 |
* @param oid the Object Identifier value for the extension.
|
|
1264 |
* @return Extension or null if certificate does not contain this
|
|
1265 |
* extension
|
|
1266 |
*/
|
|
1267 |
public Extension getExtension(ObjectIdentifier oid) {
|
|
1268 |
if (info == null) {
|
|
1269 |
return null;
|
|
1270 |
}
|
|
1271 |
try {
|
|
1272 |
CertificateExtensions extensions;
|
|
1273 |
try {
|
|
1274 |
extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
|
|
1275 |
} catch (CertificateException ce) {
|
|
1276 |
return null;
|
|
1277 |
}
|
|
1278 |
if (extensions == null) {
|
|
1279 |
return null;
|
|
1280 |
} else {
|
|
1281 |
for (Extension ex : extensions.getAllExtensions()) {
|
|
1282 |
if (ex.getExtensionId().equals(oid)) {
|
|
1283 |
//XXXX May want to consider cloning this
|
|
1284 |
return ex;
|
|
1285 |
}
|
|
1286 |
}
|
|
1287 |
/* no such extension in this certificate */
|
|
1288 |
return null;
|
|
1289 |
}
|
|
1290 |
} catch (IOException ioe) {
|
|
1291 |
return null;
|
|
1292 |
}
|
|
1293 |
}
|
|
1294 |
|
|
1295 |
public Extension getUnparseableExtension(ObjectIdentifier oid) {
|
|
1296 |
if (info == null) {
|
|
1297 |
return null;
|
|
1298 |
}
|
|
1299 |
try {
|
|
1300 |
CertificateExtensions extensions;
|
|
1301 |
try {
|
|
1302 |
extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
|
|
1303 |
} catch (CertificateException ce) {
|
|
1304 |
return null;
|
|
1305 |
}
|
|
1306 |
if (extensions == null) {
|
|
1307 |
return null;
|
|
1308 |
} else {
|
|
1309 |
return extensions.getUnparseableExtensions().get(oid.toString());
|
|
1310 |
}
|
|
1311 |
} catch (IOException ioe) {
|
|
1312 |
return null;
|
|
1313 |
}
|
|
1314 |
}
|
|
1315 |
|
|
1316 |
/**
|
|
1317 |
* Gets the DER encoded extension identified by the given
|
|
1318 |
* oid String.
|
|
1319 |
*
|
|
1320 |
* @param oid the Object Identifier value for the extension.
|
|
1321 |
*/
|
|
1322 |
public byte[] getExtensionValue(String oid) {
|
|
1323 |
try {
|
|
1324 |
ObjectIdentifier findOID = new ObjectIdentifier(oid);
|
|
1325 |
String extAlias = OIDMap.getName(findOID);
|
|
1326 |
Extension certExt = null;
|
|
1327 |
CertificateExtensions exts = (CertificateExtensions)info.get(
|
|
1328 |
CertificateExtensions.NAME);
|
|
1329 |
|
|
1330 |
if (extAlias == null) { // may be unknown
|
|
1331 |
// get the extensions, search thru' for this oid
|
|
1332 |
if (exts == null) {
|
|
1333 |
return null;
|
|
1334 |
}
|
|
1335 |
|
|
1336 |
for (Extension ex : exts.getAllExtensions()) {
|
|
1337 |
ObjectIdentifier inCertOID = ex.getExtensionId();
|
|
1338 |
if (inCertOID.equals(findOID)) {
|
|
1339 |
certExt = ex;
|
|
1340 |
break;
|
|
1341 |
}
|
|
1342 |
}
|
|
1343 |
} else { // there's sub-class that can handle this extension
|
|
1344 |
try {
|
|
1345 |
certExt = (Extension)this.get(extAlias);
|
|
1346 |
} catch (CertificateException e) {
|
|
1347 |
// get() throws an Exception instead of returning null, ignore
|
|
1348 |
}
|
|
1349 |
}
|
|
1350 |
if (certExt == null) {
|
|
1351 |
if (exts != null) {
|
|
1352 |
certExt = exts.getUnparseableExtensions().get(oid);
|
|
1353 |
}
|
|
1354 |
if (certExt == null) {
|
|
1355 |
return null;
|
|
1356 |
}
|
|
1357 |
}
|
|
1358 |
byte[] extData = certExt.getExtensionValue();
|
|
1359 |
if (extData == null) {
|
|
1360 |
return null;
|
|
1361 |
}
|
|
1362 |
DerOutputStream out = new DerOutputStream();
|
|
1363 |
out.putOctetString(extData);
|
|
1364 |
return out.toByteArray();
|
|
1365 |
} catch (Exception e) {
|
|
1366 |
return null;
|
|
1367 |
}
|
|
1368 |
}
|
|
1369 |
|
|
1370 |
/**
|
|
1371 |
* Get a boolean array representing the bits of the KeyUsage extension,
|
|
1372 |
* (oid = 2.5.29.15).
|
|
1373 |
* @return the bit values of this extension as an array of booleans.
|
|
1374 |
*/
|
|
1375 |
public boolean[] getKeyUsage() {
|
|
1376 |
try {
|
|
1377 |
String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
|
|
1378 |
if (extAlias == null)
|
|
1379 |
return null;
|
|
1380 |
|
|
1381 |
KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
|
|
1382 |
if (certExt == null)
|
|
1383 |
return null;
|
|
1384 |
|
|
1385 |
boolean[] ret = certExt.getBits();
|
|
1386 |
if (ret.length < NUM_STANDARD_KEY_USAGE) {
|
|
1387 |
boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
|
|
1388 |
System.arraycopy(ret, 0, usageBits, 0, ret.length);
|
|
1389 |
ret = usageBits;
|
|
1390 |
}
|
|
1391 |
return ret;
|
|
1392 |
} catch (Exception e) {
|
|
1393 |
return null;
|
|
1394 |
}
|
|
1395 |
}
|
|
1396 |
|
|
1397 |
/**
|
|
1398 |
* This method are the overridden implementation of
|
|
1399 |
* getExtendedKeyUsage method in X509Certificate in the Sun
|
|
1400 |
* provider. It is better performance-wise since it returns cached
|
|
1401 |
* values.
|
|
1402 |
*/
|
|
1403 |
public synchronized List<String> getExtendedKeyUsage()
|
|
1404 |
throws CertificateParsingException {
|
|
1405 |
if (readOnly && extKeyUsage != null) {
|
|
1406 |
return extKeyUsage;
|
|
1407 |
} else {
|
|
1408 |
ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
|
|
1409 |
if (ext == null) {
|
|
1410 |
return null;
|
|
1411 |
}
|
|
1412 |
extKeyUsage =
|
|
1413 |
Collections.unmodifiableList(ext.getExtendedKeyUsage());
|
|
1414 |
return extKeyUsage;
|
|
1415 |
}
|
|
1416 |
}
|
|
1417 |
|
|
1418 |
/**
|
|
1419 |
* This static method is the default implementation of the
|
|
1420 |
* getExtendedKeyUsage method in X509Certificate. A
|
|
1421 |
* X509Certificate provider generally should overwrite this to
|
|
1422 |
* provide among other things caching for better performance.
|
|
1423 |
*/
|
|
1424 |
public static List<String> getExtendedKeyUsage(X509Certificate cert)
|
|
1425 |
throws CertificateParsingException {
|
|
1426 |
try {
|
|
1427 |
byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID);
|
|
1428 |
if (ext == null)
|
|
1429 |
return null;
|
|
1430 |
DerValue val = new DerValue(ext);
|
|
1431 |
byte[] data = val.getOctetString();
|
|
1432 |
|
|
1433 |
ExtendedKeyUsageExtension ekuExt =
|
|
1434 |
new ExtendedKeyUsageExtension(Boolean.FALSE, data);
|
|
1435 |
return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
|
|
1436 |
} catch (IOException ioe) {
|
|
1437 |
CertificateParsingException cpe =
|
|
1438 |
new CertificateParsingException();
|
|
1439 |
cpe.initCause(ioe);
|
|
1440 |
throw cpe;
|
|
1441 |
}
|
|
1442 |
}
|
|
1443 |
|
|
1444 |
/**
|
|
1445 |
* Get the certificate constraints path length from the
|
|
1446 |
* the critical BasicConstraints extension, (oid = 2.5.29.19).
|
|
1447 |
* @return the length of the constraint.
|
|
1448 |
*/
|
|
1449 |
public int getBasicConstraints() {
|
|
1450 |
try {
|
|
1451 |
String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
|
|
1452 |
if (extAlias == null)
|
|
1453 |
return -1;
|
|
1454 |
BasicConstraintsExtension certExt =
|
|
1455 |
(BasicConstraintsExtension)this.get(extAlias);
|
|
1456 |
if (certExt == null)
|
|
1457 |
return -1;
|
|
1458 |
|
|
1459 |
if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
|
|
1460 |
).booleanValue() == true)
|
|
1461 |
return ((Integer)certExt.get(
|
|
1462 |
BasicConstraintsExtension.PATH_LEN)).intValue();
|
|
1463 |
else
|
|
1464 |
return -1;
|
|
1465 |
} catch (Exception e) {
|
|
1466 |
return -1;
|
|
1467 |
}
|
|
1468 |
}
|
|
1469 |
|
|
1470 |
/**
|
|
1471 |
* Converts a GeneralNames structure into an immutable Collection of
|
|
1472 |
* alternative names (subject or issuer) in the form required by
|
|
1473 |
* {@link #getSubjectAlternativeNames} or
|
|
1474 |
* {@link #getIssuerAlternativeNames}.
|
|
1475 |
*
|
|
1476 |
* @param names the GeneralNames to be converted
|
|
1477 |
* @return an immutable Collection of alternative names
|
|
1478 |
*/
|
|
1479 |
private static Collection<List<?>> makeAltNames(GeneralNames names) {
|
|
1480 |
if (names.isEmpty()) {
|
|
1481 |
return Collections.<List<?>>emptySet();
|
|
1482 |
}
|
|
1483 |
Set<List<?>> newNames = new HashSet<List<?>>();
|
|
1484 |
for (GeneralName gname : names.names()) {
|
|
1485 |
GeneralNameInterface name = gname.getName();
|
|
1486 |
List<Object> nameEntry = new ArrayList<Object>(2);
|
|
1487 |
nameEntry.add(Integer.valueOf(name.getType()));
|
|
1488 |
switch (name.getType()) {
|
|
1489 |
case GeneralNameInterface.NAME_RFC822:
|
|
1490 |
nameEntry.add(((RFC822Name) name).getName());
|
|
1491 |
break;
|
|
1492 |
case GeneralNameInterface.NAME_DNS:
|
|
1493 |
nameEntry.add(((DNSName) name).getName());
|
|
1494 |
break;
|
|
1495 |
case GeneralNameInterface.NAME_DIRECTORY:
|
|
1496 |
nameEntry.add(((X500Name) name).getRFC2253Name());
|
|
1497 |
break;
|
|
1498 |
case GeneralNameInterface.NAME_URI:
|
|
1499 |
nameEntry.add(((URIName) name).getName());
|
|
1500 |
break;
|
|
1501 |
case GeneralNameInterface.NAME_IP:
|
|
1502 |
try {
|
|
1503 |
nameEntry.add(((IPAddressName) name).getName());
|
|
1504 |
} catch (IOException ioe) {
|
|
1505 |
// IPAddressName in cert is bogus
|
|
1506 |
throw new RuntimeException("IPAddress cannot be parsed",
|
|
1507 |
ioe);
|
|
1508 |
}
|
|
1509 |
break;
|
|
1510 |
case GeneralNameInterface.NAME_OID:
|
|
1511 |
nameEntry.add(((OIDName) name).getOID().toString());
|
|
1512 |
break;
|
|
1513 |
default:
|
|
1514 |
// add DER encoded form
|
|
1515 |
DerOutputStream derOut = new DerOutputStream();
|
|
1516 |
try {
|
|
1517 |
name.encode(derOut);
|
|
1518 |
} catch (IOException ioe) {
|
|
1519 |
// should not occur since name has already been decoded
|
|
1520 |
// from cert (this would indicate a bug in our code)
|
|
1521 |
throw new RuntimeException("name cannot be encoded", ioe);
|
|
1522 |
}
|
|
1523 |
nameEntry.add(derOut.toByteArray());
|
|
1524 |
break;
|
|
1525 |
}
|
|
1526 |
newNames.add(Collections.unmodifiableList(nameEntry));
|
|
1527 |
}
|
|
1528 |
return Collections.unmodifiableCollection(newNames);
|
|
1529 |
}
|
|
1530 |
|
|
1531 |
/**
|
|
1532 |
* Checks a Collection of altNames and clones any name entries of type
|
|
1533 |
* byte [].
|
|
1534 |
*/ // only partially generified due to javac bug
|
|
1535 |
private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
|
|
1536 |
boolean mustClone = false;
|
|
1537 |
for (List<?> nameEntry : altNames) {
|
|
1538 |
if (nameEntry.get(1) instanceof byte[]) {
|
|
1539 |
// must clone names
|
|
1540 |
mustClone = true;
|
|
1541 |
}
|
|
1542 |
}
|
|
1543 |
if (mustClone) {
|
|
1544 |
Set<List<?>> namesCopy = new HashSet<List<?>>();
|
|
1545 |
for (List<?> nameEntry : altNames) {
|
|
1546 |
Object nameObject = nameEntry.get(1);
|
|
1547 |
if (nameObject instanceof byte[]) {
|
|
1548 |
List<Object> nameEntryCopy =
|
|
1549 |
new ArrayList<Object>(nameEntry);
|
|
1550 |
nameEntryCopy.set(1, ((byte[])nameObject).clone());
|
|
1551 |
namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
|
|
1552 |
} else {
|
|
1553 |
namesCopy.add(nameEntry);
|
|
1554 |
}
|
|
1555 |
}
|
|
1556 |
return Collections.unmodifiableCollection(namesCopy);
|
|
1557 |
} else {
|
|
1558 |
return altNames;
|
|
1559 |
}
|
|
1560 |
}
|
|
1561 |
|
|
1562 |
/**
|
|
1563 |
* This method are the overridden implementation of
|
|
1564 |
* getSubjectAlternativeNames method in X509Certificate in the Sun
|
|
1565 |
* provider. It is better performance-wise since it returns cached
|
|
1566 |
* values.
|
|
1567 |
*/
|
|
1568 |
public synchronized Collection<List<?>> getSubjectAlternativeNames()
|
|
1569 |
throws CertificateParsingException {
|
|
1570 |
// return cached value if we can
|
|
1571 |
if (readOnly && subjectAlternativeNames != null) {
|
|
1572 |
return cloneAltNames(subjectAlternativeNames);
|
|
1573 |
}
|
|
1574 |
SubjectAlternativeNameExtension subjectAltNameExt =
|
|
1575 |
getSubjectAlternativeNameExtension();
|
|
1576 |
if (subjectAltNameExt == null) {
|
|
1577 |
return null;
|
|
1578 |
}
|
|
1579 |
GeneralNames names;
|
|
1580 |
try {
|
|
1581 |
names = (GeneralNames) subjectAltNameExt.get
|
|
1582 |
(SubjectAlternativeNameExtension.SUBJECT_NAME);
|
|
1583 |
} catch (IOException ioe) {
|
|
1584 |
// should not occur
|
|
1585 |
return Collections.<List<?>>emptySet();
|
|
1586 |
}
|
|
1587 |
subjectAlternativeNames = makeAltNames(names);
|
|
1588 |
return subjectAlternativeNames;
|
|
1589 |
}
|
|
1590 |
|
|
1591 |
/**
|
|
1592 |
* This static method is the default implementation of the
|
|
1593 |
* getSubjectAlternaitveNames method in X509Certificate. A
|
|
1594 |
* X509Certificate provider generally should overwrite this to
|
|
1595 |
* provide among other things caching for better performance.
|
|
1596 |
*/
|
|
1597 |
public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
|
|
1598 |
throws CertificateParsingException {
|
|
1599 |
try {
|
|
1600 |
byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID);
|
|
1601 |
if (ext == null) {
|
|
1602 |
return null;
|
|
1603 |
}
|
|
1604 |
DerValue val = new DerValue(ext);
|
|
1605 |
byte[] data = val.getOctetString();
|
|
1606 |
|
|
1607 |
SubjectAlternativeNameExtension subjectAltNameExt =
|
|
1608 |
new SubjectAlternativeNameExtension(Boolean.FALSE,
|
|
1609 |
data);
|
|
1610 |
|
|
1611 |
GeneralNames names;
|
|
1612 |
try {
|
|
1613 |
names = (GeneralNames) subjectAltNameExt.get
|
|
1614 |
(SubjectAlternativeNameExtension.SUBJECT_NAME);
|
|
1615 |
} catch (IOException ioe) {
|
|
1616 |
// should not occur
|
|
1617 |
return Collections.<List<?>>emptySet();
|
|
1618 |
}
|
|
1619 |
return makeAltNames(names);
|
|
1620 |
} catch (IOException ioe) {
|
|
1621 |
CertificateParsingException cpe =
|
|
1622 |
new CertificateParsingException();
|
|
1623 |
cpe.initCause(ioe);
|
|
1624 |
throw cpe;
|
|
1625 |
}
|
|
1626 |
}
|
|
1627 |
|
|
1628 |
/**
|
|
1629 |
* This method are the overridden implementation of
|
|
1630 |
* getIssuerAlternativeNames method in X509Certificate in the Sun
|
|
1631 |
* provider. It is better performance-wise since it returns cached
|
|
1632 |
* values.
|
|
1633 |
*/
|
|
1634 |
public synchronized Collection<List<?>> getIssuerAlternativeNames()
|
|
1635 |
throws CertificateParsingException {
|
|
1636 |
// return cached value if we can
|
|
1637 |
if (readOnly && issuerAlternativeNames != null) {
|
|
1638 |
return cloneAltNames(issuerAlternativeNames);
|
|
1639 |
}
|
|
1640 |
IssuerAlternativeNameExtension issuerAltNameExt =
|
|
1641 |
getIssuerAlternativeNameExtension();
|
|
1642 |
if (issuerAltNameExt == null) {
|
|
1643 |
return null;
|
|
1644 |
}
|
|
1645 |
GeneralNames names;
|
|
1646 |
try {
|
|
1647 |
names = (GeneralNames) issuerAltNameExt.get
|
|
1648 |
(IssuerAlternativeNameExtension.ISSUER_NAME);
|
|
1649 |
} catch (IOException ioe) {
|
|
1650 |
// should not occur
|
|
1651 |
return Collections.<List<?>>emptySet();
|
|
1652 |
}
|
|
1653 |
issuerAlternativeNames = makeAltNames(names);
|
|
1654 |
return issuerAlternativeNames;
|
|
1655 |
}
|
|
1656 |
|
|
1657 |
/**
|
|
1658 |
* This static method is the default implementation of the
|
|
1659 |
* getIssuerAlternaitveNames method in X509Certificate. A
|
|
1660 |
* X509Certificate provider generally should overwrite this to
|
|
1661 |
* provide among other things caching for better performance.
|
|
1662 |
*/
|
|
1663 |
public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
|
|
1664 |
throws CertificateParsingException {
|
|
1665 |
try {
|
|
1666 |
byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID);
|
|
1667 |
if (ext == null) {
|
|
1668 |
return null;
|
|
1669 |
}
|
|
1670 |
|
|
1671 |
DerValue val = new DerValue(ext);
|
|
1672 |
byte[] data = val.getOctetString();
|
|
1673 |
|
|
1674 |
IssuerAlternativeNameExtension issuerAltNameExt =
|
|
1675 |
new IssuerAlternativeNameExtension(Boolean.FALSE,
|
|
1676 |
data);
|
|
1677 |
GeneralNames names;
|
|
1678 |
try {
|
|
1679 |
names = (GeneralNames) issuerAltNameExt.get
|
|
1680 |
(IssuerAlternativeNameExtension.ISSUER_NAME);
|
|
1681 |
} catch (IOException ioe) {
|
|
1682 |
// should not occur
|
|
1683 |
return Collections.<List<?>>emptySet();
|
|
1684 |
}
|
|
1685 |
return makeAltNames(names);
|
|
1686 |
} catch (IOException ioe) {
|
|
1687 |
CertificateParsingException cpe =
|
|
1688 |
new CertificateParsingException();
|
|
1689 |
cpe.initCause(ioe);
|
|
1690 |
throw cpe;
|
|
1691 |
}
|
|
1692 |
}
|
|
1693 |
|
|
1694 |
public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
|
|
1695 |
return (AuthorityInfoAccessExtension)
|
|
1696 |
getExtension(PKIXExtensions.AuthInfoAccess_Id);
|
|
1697 |
}
|
|
1698 |
|
|
1699 |
/************************************************************/
|
|
1700 |
|
|
1701 |
/*
|
|
1702 |
* Cert is a SIGNED ASN.1 macro, a three elment sequence:
|
|
1703 |
*
|
|
1704 |
* - Data to be signed (ToBeSigned) -- the "raw" cert
|
|
1705 |
* - Signature algorithm (SigAlgId)
|
|
1706 |
* - The signature bits
|
|
1707 |
*
|
|
1708 |
* This routine unmarshals the certificate, saving the signature
|
|
1709 |
* parts away for later verification.
|
|
1710 |
*/
|
|
1711 |
private void parse(DerValue val)
|
|
1712 |
throws CertificateException, IOException {
|
|
1713 |
// check if can over write the certificate
|
|
1714 |
if (readOnly)
|
|
1715 |
throw new CertificateParsingException(
|
|
1716 |
"cannot over-write existing certificate");
|
|
1717 |
|
|
1718 |
if (val.data == null || val.tag != DerValue.tag_Sequence)
|
|
1719 |
throw new CertificateParsingException(
|
|
1720 |
"invalid DER-encoded certificate data");
|
|
1721 |
|
|
1722 |
signedCert = val.toByteArray();
|
|
1723 |
DerValue[] seq = new DerValue[3];
|
|
1724 |
|
|
1725 |
seq[0] = val.data.getDerValue();
|
|
1726 |
seq[1] = val.data.getDerValue();
|
|
1727 |
seq[2] = val.data.getDerValue();
|
|
1728 |
|
|
1729 |
if (val.data.available() != 0) {
|
|
1730 |
throw new CertificateParsingException("signed overrun, bytes = "
|
|
1731 |
+ val.data.available());
|
|
1732 |
}
|
|
1733 |
if (seq[0].tag != DerValue.tag_Sequence) {
|
|
1734 |
throw new CertificateParsingException("signed fields invalid");
|
|
1735 |
}
|
|
1736 |
|
|
1737 |
algId = AlgorithmId.parse(seq[1]);
|
|
1738 |
signature = seq[2].getBitString();
|
|
1739 |
|
|
1740 |
if (seq[1].data.available() != 0) {
|
|
1741 |
throw new CertificateParsingException("algid field overrun");
|
|
1742 |
}
|
|
1743 |
if (seq[2].data.available() != 0)
|
|
1744 |
throw new CertificateParsingException("signed fields overrun");
|
|
1745 |
|
|
1746 |
// The CertificateInfo
|
|
1747 |
info = new X509CertInfo(seq[0]);
|
|
1748 |
|
|
1749 |
// the "inner" and "outer" signature algorithms must match
|
|
1750 |
AlgorithmId infoSigAlg = (AlgorithmId)info.get(
|
|
1751 |
CertificateAlgorithmId.NAME
|
|
1752 |
+ DOT +
|
|
1753 |
CertificateAlgorithmId.ALGORITHM);
|
|
1754 |
if (! algId.equals(infoSigAlg))
|
|
1755 |
throw new CertificateException("Signature algorithm mismatch");
|
|
1756 |
readOnly = true;
|
|
1757 |
}
|
|
1758 |
|
|
1759 |
/**
|
|
1760 |
* Extract the subject or issuer X500Principal from an X509Certificate.
|
|
1761 |
* Parses the encoded form of the cert to preserve the principal's
|
|
1762 |
* ASN.1 encoding.
|
|
1763 |
*/
|
|
1764 |
private static X500Principal getX500Principal(X509Certificate cert,
|
|
1765 |
boolean getIssuer) throws Exception {
|
|
1766 |
byte[] encoded = cert.getEncoded();
|
|
1767 |
DerInputStream derIn = new DerInputStream(encoded);
|
|
1768 |
DerValue tbsCert = derIn.getSequence(3)[0];
|
|
1769 |
DerInputStream tbsIn = tbsCert.data;
|
|
1770 |
DerValue tmp;
|
|
1771 |
tmp = tbsIn.getDerValue();
|
|
1772 |
// skip version number if present
|
|
1773 |
if (tmp.isContextSpecific((byte)0)) {
|
|
1774 |
tmp = tbsIn.getDerValue();
|
|
1775 |
}
|
|
1776 |
// tmp always contains serial number now
|
|
1777 |
tmp = tbsIn.getDerValue(); // skip signature
|
|
1778 |
tmp = tbsIn.getDerValue(); // issuer
|
|
1779 |
if (getIssuer == false) {
|
|
1780 |
tmp = tbsIn.getDerValue(); // skip validity
|
|
1781 |
tmp = tbsIn.getDerValue(); // subject
|
|
1782 |
}
|
|
1783 |
byte[] principalBytes = tmp.toByteArray();
|
|
1784 |
return new X500Principal(principalBytes);
|
|
1785 |
}
|
|
1786 |
|
|
1787 |
/**
|
|
1788 |
* Extract the subject X500Principal from an X509Certificate.
|
|
1789 |
* Called from java.security.cert.X509Certificate.getSubjectX500Principal().
|
|
1790 |
*/
|
|
1791 |
public static X500Principal getSubjectX500Principal(X509Certificate cert) {
|
|
1792 |
try {
|
|
1793 |
return getX500Principal(cert, false);
|
|
1794 |
} catch (Exception e) {
|
|
1795 |
throw new RuntimeException("Could not parse subject", e);
|
|
1796 |
}
|
|
1797 |
}
|
|
1798 |
|
|
1799 |
/**
|
|
1800 |
* Extract the issuer X500Principal from an X509Certificate.
|
|
1801 |
* Called from java.security.cert.X509Certificate.getIssuerX500Principal().
|
|
1802 |
*/
|
|
1803 |
public static X500Principal getIssuerX500Principal(X509Certificate cert) {
|
|
1804 |
try {
|
|
1805 |
return getX500Principal(cert, true);
|
|
1806 |
} catch (Exception e) {
|
|
1807 |
throw new RuntimeException("Could not parse issuer", e);
|
|
1808 |
}
|
|
1809 |
}
|
|
1810 |
|
|
1811 |
/**
|
|
1812 |
* Returned the encoding of the given certificate for internal use.
|
|
1813 |
* Callers must guarantee that they neither modify it nor expose it
|
|
1814 |
* to untrusted code. Uses getEncodedInternal() if the certificate
|
|
1815 |
* is instance of X509CertImpl, getEncoded() otherwise.
|
|
1816 |
*/
|
|
1817 |
public static byte[] getEncodedInternal(Certificate cert)
|
|
1818 |
throws CertificateEncodingException {
|
|
1819 |
if (cert instanceof X509CertImpl) {
|
|
1820 |
return ((X509CertImpl)cert).getEncodedInternal();
|
|
1821 |
} else {
|
|
1822 |
return cert.getEncoded();
|
|
1823 |
}
|
|
1824 |
}
|
|
1825 |
|
|
1826 |
/**
|
|
1827 |
* Utility method to convert an arbitrary instance of X509Certificate
|
|
1828 |
* to a X509CertImpl. Does a cast if possible, otherwise reparses
|
|
1829 |
* the encoding.
|
|
1830 |
*/
|
|
1831 |
public static X509CertImpl toImpl(X509Certificate cert)
|
|
1832 |
throws CertificateException {
|
|
1833 |
if (cert instanceof X509CertImpl) {
|
|
1834 |
return (X509CertImpl)cert;
|
|
1835 |
} else {
|
|
1836 |
return X509Factory.intern(cert);
|
|
1837 |
}
|
|
1838 |
}
|
|
1839 |
|
|
1840 |
/**
|
|
1841 |
* Utility method to test if a certificate is self-issued. This is
|
|
1842 |
* the case iff the subject and issuer X500Principals are equal.
|
|
1843 |
*/
|
|
1844 |
public static boolean isSelfIssued(X509Certificate cert) {
|
|
1845 |
X500Principal subject = cert.getSubjectX500Principal();
|
|
1846 |
X500Principal issuer = cert.getIssuerX500Principal();
|
|
1847 |
return subject.equals(issuer);
|
|
1848 |
}
|
|
1849 |
|
|
1850 |
/**
|
|
1851 |
* Utility method to test if a certificate is self-signed. This is
|
|
1852 |
* the case iff the subject and issuer X500Principals are equal
|
|
1853 |
* AND the certificate's subject public key can be used to verify
|
|
1854 |
* the certificate. In case of exception, returns false.
|
|
1855 |
*/
|
|
1856 |
public static boolean isSelfSigned(X509Certificate cert,
|
|
1857 |
String sigProvider) {
|
|
1858 |
if (isSelfIssued(cert)) {
|
|
1859 |
try {
|
|
1860 |
if (sigProvider == null) {
|
|
1861 |
cert.verify(cert.getPublicKey());
|
|
1862 |
} else {
|
|
1863 |
cert.verify(cert.getPublicKey(), sigProvider);
|
|
1864 |
}
|
|
1865 |
return true;
|
|
1866 |
} catch (Exception e) {
|
|
1867 |
// In case of exception, return false
|
|
1868 |
}
|
|
1869 |
}
|
|
1870 |
return false;
|
|
1871 |
}
|
|
1872 |
}
|