32 import java.io.InputStream; |
32 import java.io.InputStream; |
33 import java.io.InputStreamReader; |
33 import java.io.InputStreamReader; |
34 import java.io.OutputStream; |
34 import java.io.OutputStream; |
35 import java.math.BigInteger; |
35 import java.math.BigInteger; |
36 import java.security.*; |
36 import java.security.*; |
|
37 import java.security.spec.AlgorithmParameterSpec; |
37 import java.security.cert.*; |
38 import java.security.cert.*; |
38 import java.security.cert.Certificate; |
39 import java.security.cert.Certificate; |
39 import java.util.*; |
40 import java.util.*; |
40 import java.util.concurrent.ConcurrentHashMap; |
41 import java.util.concurrent.ConcurrentHashMap; |
41 |
42 |
42 import javax.security.auth.x500.X500Principal; |
43 import javax.security.auth.x500.X500Principal; |
43 |
44 |
44 import sun.security.util.HexDumpEncoder; |
|
45 import java.util.Base64; |
45 import java.util.Base64; |
46 import sun.security.util.*; |
46 import sun.security.util.*; |
47 import sun.security.provider.X509Factory; |
47 import sun.security.provider.X509Factory; |
48 |
48 |
49 /** |
49 /** |
386 * @exception CertificateException on encoding errors. |
386 * @exception CertificateException on encoding errors. |
387 */ |
387 */ |
388 public void verify(PublicKey key) |
388 public void verify(PublicKey key) |
389 throws CertificateException, NoSuchAlgorithmException, |
389 throws CertificateException, NoSuchAlgorithmException, |
390 InvalidKeyException, NoSuchProviderException, SignatureException { |
390 InvalidKeyException, NoSuchProviderException, SignatureException { |
391 |
|
392 verify(key, ""); |
391 verify(key, ""); |
393 } |
392 } |
394 |
393 |
395 /** |
394 /** |
396 * Throws an exception if the certificate was not signed using the |
395 * Throws an exception if the certificate was not signed using the |
433 if (sigProvider.length() == 0) { |
432 if (sigProvider.length() == 0) { |
434 sigVerf = Signature.getInstance(algId.getName()); |
433 sigVerf = Signature.getInstance(algId.getName()); |
435 } else { |
434 } else { |
436 sigVerf = Signature.getInstance(algId.getName(), sigProvider); |
435 sigVerf = Signature.getInstance(algId.getName(), sigProvider); |
437 } |
436 } |
|
437 |
438 sigVerf.initVerify(key); |
438 sigVerf.initVerify(key); |
|
439 |
|
440 // set parameters after Signature.initSign/initVerify call, |
|
441 // so the deferred provider selection happens when key is set |
|
442 try { |
|
443 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams()); |
|
444 } catch (ProviderException e) { |
|
445 throw new CertificateException(e.getMessage(), e.getCause()); |
|
446 } catch (InvalidAlgorithmParameterException e) { |
|
447 throw new CertificateException(e); |
|
448 } |
439 |
449 |
440 byte[] rawCert = info.getEncodedInfo(); |
450 byte[] rawCert = info.getEncodedInfo(); |
441 sigVerf.update(rawCert, 0, rawCert.length); |
451 sigVerf.update(rawCert, 0, rawCert.length); |
442 |
452 |
443 // verify may throw SignatureException for invalid encodings, etc. |
453 // verify may throw SignatureException for invalid encodings, etc. |
478 if (sigProvider == null) { |
488 if (sigProvider == null) { |
479 sigVerf = Signature.getInstance(algId.getName()); |
489 sigVerf = Signature.getInstance(algId.getName()); |
480 } else { |
490 } else { |
481 sigVerf = Signature.getInstance(algId.getName(), sigProvider); |
491 sigVerf = Signature.getInstance(algId.getName(), sigProvider); |
482 } |
492 } |
|
493 |
483 sigVerf.initVerify(key); |
494 sigVerf.initVerify(key); |
|
495 |
|
496 // set parameters after Signature.initSign/initVerify call, |
|
497 // so the deferred provider selection happens when key is set |
|
498 try { |
|
499 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams()); |
|
500 } catch (ProviderException e) { |
|
501 throw new CertificateException(e.getMessage(), e.getCause()); |
|
502 } catch (InvalidAlgorithmParameterException e) { |
|
503 throw new CertificateException(e); |
|
504 } |
484 |
505 |
485 byte[] rawCert = info.getEncodedInfo(); |
506 byte[] rawCert = info.getEncodedInfo(); |
486 sigVerf.update(rawCert, 0, rawCert.length); |
507 sigVerf.update(rawCert, 0, rawCert.length); |
487 |
508 |
488 // verify may throw SignatureException for invalid encodings, etc. |
509 // verify may throw SignatureException for invalid encodings, etc. |
534 * @exception CertificateException on encoding errors. |
555 * @exception CertificateException on encoding errors. |
535 */ |
556 */ |
536 public void sign(PrivateKey key, String algorithm, String provider) |
557 public void sign(PrivateKey key, String algorithm, String provider) |
537 throws CertificateException, NoSuchAlgorithmException, |
558 throws CertificateException, NoSuchAlgorithmException, |
538 InvalidKeyException, NoSuchProviderException, SignatureException { |
559 InvalidKeyException, NoSuchProviderException, SignatureException { |
|
560 try { |
|
561 sign(key, null, algorithm, provider); |
|
562 } catch (InvalidAlgorithmParameterException e) { |
|
563 // should not happen; re-throw just in case |
|
564 throw new SignatureException(e); |
|
565 } |
|
566 } |
|
567 |
|
568 /** |
|
569 * Creates an X.509 certificate, and signs it using the given key |
|
570 * (associating a signature algorithm and an X.500 name), signature |
|
571 * parameters, and security provider. If the given provider name |
|
572 * is null or empty, the implementation look up will be based on |
|
573 * provider configurations. |
|
574 * This operation is used to implement the certificate generation |
|
575 * functionality of a certificate authority. |
|
576 * |
|
577 * @param key the private key used for signing |
|
578 * @param signingParams the parameters used for signing |
|
579 * @param algorithm the name of the signature algorithm used |
|
580 * @param provider the name of the provider, may be null |
|
581 * |
|
582 * @exception NoSuchAlgorithmException on unsupported signature |
|
583 * algorithms |
|
584 * @exception InvalidKeyException on incorrect key |
|
585 * @exception InvalidAlgorithmParameterException on invalid signature |
|
586 * parameters |
|
587 * @exception NoSuchProviderException on incorrect provider |
|
588 * @exception SignatureException on signature errors |
|
589 * @exception CertificateException on encoding errors |
|
590 */ |
|
591 public void sign(PrivateKey key, AlgorithmParameterSpec signingParams, |
|
592 String algorithm, String provider) |
|
593 throws CertificateException, NoSuchAlgorithmException, |
|
594 InvalidKeyException, InvalidAlgorithmParameterException, |
|
595 NoSuchProviderException, SignatureException { |
539 try { |
596 try { |
540 if (readOnly) |
597 if (readOnly) |
541 throw new CertificateEncodingException( |
598 throw new CertificateEncodingException( |
542 "cannot over-write existing certificate"); |
599 "cannot over-write existing certificate"); |
543 Signature sigEngine = null; |
600 Signature sigEngine = null; |
546 else |
603 else |
547 sigEngine = Signature.getInstance(algorithm, provider); |
604 sigEngine = Signature.getInstance(algorithm, provider); |
548 |
605 |
549 sigEngine.initSign(key); |
606 sigEngine.initSign(key); |
550 |
607 |
551 // in case the name is reset |
608 // set parameters after Signature.initSign/initVerify call, so |
552 algId = AlgorithmId.get(sigEngine.getAlgorithm()); |
609 // the deferred provider selection happens when the key is set |
553 |
610 try { |
|
611 sigEngine.setParameter(signingParams); |
|
612 } catch (UnsupportedOperationException e) { |
|
613 // for backward compatibility, only re-throw when |
|
614 // parameters is not null |
|
615 if (signingParams != null) throw e; |
|
616 } |
|
617 |
|
618 // in case the name is reset |
|
619 if (signingParams != null) { |
|
620 algId = AlgorithmId.get(sigEngine.getParameters()); |
|
621 } else { |
|
622 algId = AlgorithmId.get(algorithm); |
|
623 } |
554 DerOutputStream out = new DerOutputStream(); |
624 DerOutputStream out = new DerOutputStream(); |
555 DerOutputStream tmp = new DerOutputStream(); |
625 DerOutputStream tmp = new DerOutputStream(); |
556 |
626 |
557 // encode certificate info |
627 // encode certificate info |
558 info.encode(tmp); |
628 info.encode(tmp); |