1 /* |
1 /* |
2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
63 * usually, since it is possible for two issuing CAs to have the same |
63 * usually, since it is possible for two issuing CAs to have the same |
64 * distinguished name and each issue a certificate with the same serial |
64 * distinguished name and each issue a certificate with the same serial |
65 * number. Other unique combinations include the issuer, subject, |
65 * number. Other unique combinations include the issuer, subject, |
66 * subjectKeyIdentifier and/or the subjectPublicKey criteria. |
66 * subjectKeyIdentifier and/or the subjectPublicKey criteria. |
67 * <p> |
67 * <p> |
68 * Please refer to <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: |
68 * Please refer to <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: |
69 * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for |
69 * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for |
70 * definitions of the X.509 certificate extensions mentioned below. |
70 * definitions of the X.509 certificate extensions mentioned below. |
71 * <p> |
71 * <p> |
72 * <b>Concurrent Access</b> |
72 * <b>Concurrent Access</b> |
73 * <p> |
73 * <p> |
726 * duplicate, it may be ignored. |
726 * duplicate, it may be ignored. |
727 * <p> |
727 * <p> |
728 * The name is provided in string format. |
728 * The name is provided in string format. |
729 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI |
729 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI |
730 * names use the well-established string formats for those types (subject to |
730 * names use the well-established string formats for those types (subject to |
731 * the restrictions included in RFC 3280). IPv4 address names are |
731 * the restrictions included in RFC 5280). IPv4 address names are |
732 * supplied using dotted quad notation. OID address names are represented |
732 * supplied using dotted quad notation. OID address names are represented |
733 * as a series of nonnegative integers separated by periods. And |
733 * as a series of nonnegative integers separated by periods. And |
734 * directory names (distinguished names) are supplied in RFC 2253 format. |
734 * directory names (distinguished names) are supplied in RFC 2253 format. |
735 * No standard string format is defined for otherNames, X.400 names, |
735 * No standard string format is defined for otherNames, X.400 names, |
736 * EDI party names, IPv6 address names, or any other type of names. They |
736 * EDI party names, IPv6 address names, or any other type of names. They |
744 * This method should not be relied on as it can fail to match some |
744 * This method should not be relied on as it can fail to match some |
745 * certificates because of a loss of encoding information in the RFC 2253 |
745 * certificates because of a loss of encoding information in the RFC 2253 |
746 * String form of some distinguished names. |
746 * String form of some distinguished names. |
747 * |
747 * |
748 * @param type the name type (0-8, as specified in |
748 * @param type the name type (0-8, as specified in |
749 * RFC 3280, section 4.2.1.7) |
749 * RFC 5280, section 4.2.1.6) |
750 * @param name the name in string form (not {@code null}) |
750 * @param name the name in string form (not {@code null}) |
751 * @throws IOException if a parsing error occurs |
751 * @throws IOException if a parsing error occurs |
752 */ |
752 */ |
753 public void addSubjectAlternativeName(int type, String name) |
753 public void addSubjectAlternativeName(int type, String name) |
754 throws IOException { |
754 throws IOException { |
768 * subjectAlternativeNames criterion. If the specified name is a |
768 * subjectAlternativeNames criterion. If the specified name is a |
769 * duplicate, it may be ignored. |
769 * duplicate, it may be ignored. |
770 * <p> |
770 * <p> |
771 * The name is provided as a byte array. This byte array should contain |
771 * The name is provided as a byte array. This byte array should contain |
772 * the DER encoded name, as it would appear in the GeneralName structure |
772 * the DER encoded name, as it would appear in the GeneralName structure |
773 * defined in RFC 3280 and X.509. The encoded byte array should only contain |
773 * defined in RFC 5280 and X.509. The encoded byte array should only contain |
774 * the encoded value of the name, and should not include the tag associated |
774 * the encoded value of the name, and should not include the tag associated |
775 * with the name in the GeneralName structure. The ASN.1 definition of this |
775 * with the name in the GeneralName structure. The ASN.1 definition of this |
776 * structure appears below. |
776 * structure appears below. |
777 * <pre>{@code |
777 * <pre>{@code |
778 * GeneralName ::= CHOICE { |
778 * GeneralName ::= CHOICE { |
804 * A private method that adds a name (String or byte array) to the |
804 * A private method that adds a name (String or byte array) to the |
805 * subjectAlternativeNames criterion. The {@code X509Certificate} |
805 * subjectAlternativeNames criterion. The {@code X509Certificate} |
806 * must contain the specified subjectAlternativeName. |
806 * must contain the specified subjectAlternativeName. |
807 * |
807 * |
808 * @param type the name type (0-8, as specified in |
808 * @param type the name type (0-8, as specified in |
809 * RFC 3280, section 4.2.1.7) |
809 * RFC 5280, section 4.2.1.6) |
810 * @param name the name in string or byte array form |
810 * @param name the name in string or byte array form |
811 * @throws IOException if a parsing error occurs |
811 * @throws IOException if a parsing error occurs |
812 */ |
812 */ |
813 private void addSubjectAlternativeNameInternal(int type, Object name) |
813 private void addSubjectAlternativeNameInternal(int type, Object name) |
814 throws IOException { |
814 throws IOException { |
993 * must have subject and subject alternative names that |
993 * must have subject and subject alternative names that |
994 * meet the specified name constraints. |
994 * meet the specified name constraints. |
995 * <p> |
995 * <p> |
996 * The name constraints are specified as a byte array. This byte array |
996 * The name constraints are specified as a byte array. This byte array |
997 * should contain the DER encoded form of the name constraints, as they |
997 * should contain the DER encoded form of the name constraints, as they |
998 * would appear in the NameConstraints structure defined in RFC 3280 |
998 * would appear in the NameConstraints structure defined in RFC 5280 |
999 * and X.509. The ASN.1 definition of this structure appears below. |
999 * and X.509. The ASN.1 definition of this structure appears below. |
1000 * |
1000 * |
1001 * <pre>{@code |
1001 * <pre>{@code |
1002 * NameConstraints ::= SEQUENCE { |
1002 * NameConstraints ::= SEQUENCE { |
1003 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
1003 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
1195 * The specified name is added to any previous value for the |
1195 * The specified name is added to any previous value for the |
1196 * pathToNames criterion. If the name is a duplicate, it may be ignored. |
1196 * pathToNames criterion. If the name is a duplicate, it may be ignored. |
1197 * <p> |
1197 * <p> |
1198 * The name is provided in string format. RFC 822, DNS, and URI names |
1198 * The name is provided in string format. RFC 822, DNS, and URI names |
1199 * use the well-established string formats for those types (subject to |
1199 * use the well-established string formats for those types (subject to |
1200 * the restrictions included in RFC 3280). IPv4 address names are |
1200 * the restrictions included in RFC 5280). IPv4 address names are |
1201 * supplied using dotted quad notation. OID address names are represented |
1201 * supplied using dotted quad notation. OID address names are represented |
1202 * as a series of nonnegative integers separated by periods. And |
1202 * as a series of nonnegative integers separated by periods. And |
1203 * directory names (distinguished names) are supplied in RFC 2253 format. |
1203 * directory names (distinguished names) are supplied in RFC 2253 format. |
1204 * No standard string format is defined for otherNames, X.400 names, |
1204 * No standard string format is defined for otherNames, X.400 names, |
1205 * EDI party names, IPv6 address names, or any other type of names. They |
1205 * EDI party names, IPv6 address names, or any other type of names. They |
1212 * This method should not be relied on as it can fail to match some |
1212 * This method should not be relied on as it can fail to match some |
1213 * certificates because of a loss of encoding information in the RFC 2253 |
1213 * certificates because of a loss of encoding information in the RFC 2253 |
1214 * String form of some distinguished names. |
1214 * String form of some distinguished names. |
1215 * |
1215 * |
1216 * @param type the name type (0-8, as specified in |
1216 * @param type the name type (0-8, as specified in |
1217 * RFC 3280, section 4.2.1.7) |
1217 * RFC 5280, section 4.2.1.6) |
1218 * @param name the name in string form |
1218 * @param name the name in string form |
1219 * @throws IOException if a parsing error occurs |
1219 * @throws IOException if a parsing error occurs |
1220 */ |
1220 */ |
1221 public void addPathToName(int type, String name) throws IOException { |
1221 public void addPathToName(int type, String name) throws IOException { |
1222 addPathToNameInternal(type, name); |
1222 addPathToNameInternal(type, name); |
1232 * The specified name is added to any previous value for the |
1232 * The specified name is added to any previous value for the |
1233 * pathToNames criterion. If the name is a duplicate, it may be ignored. |
1233 * pathToNames criterion. If the name is a duplicate, it may be ignored. |
1234 * <p> |
1234 * <p> |
1235 * The name is provided as a byte array. This byte array should contain |
1235 * The name is provided as a byte array. This byte array should contain |
1236 * the DER encoded name, as it would appear in the GeneralName structure |
1236 * the DER encoded name, as it would appear in the GeneralName structure |
1237 * defined in RFC 3280 and X.509. The ASN.1 definition of this structure |
1237 * defined in RFC 5280 and X.509. The ASN.1 definition of this structure |
1238 * appears in the documentation for |
1238 * appears in the documentation for |
1239 * {@link #addSubjectAlternativeName(int type, byte [] name) |
1239 * {@link #addSubjectAlternativeName(int type, byte [] name) |
1240 * addSubjectAlternativeName(int type, byte [] name)}. |
1240 * addSubjectAlternativeName(int type, byte [] name)}. |
1241 * <p> |
1241 * <p> |
1242 * Note that the byte array supplied here is cloned to protect against |
1242 * Note that the byte array supplied here is cloned to protect against |
1243 * subsequent modifications. |
1243 * subsequent modifications. |
1244 * |
1244 * |
1245 * @param type the name type (0-8, as specified in |
1245 * @param type the name type (0-8, as specified in |
1246 * RFC 3280, section 4.2.1.7) |
1246 * RFC 5280, section 4.2.1.6) |
1247 * @param name a byte array containing the name in ASN.1 DER encoded form |
1247 * @param name a byte array containing the name in ASN.1 DER encoded form |
1248 * @throws IOException if a parsing error occurs |
1248 * @throws IOException if a parsing error occurs |
1249 */ |
1249 */ |
1250 public void addPathToName(int type, byte [] name) throws IOException { |
1250 public void addPathToName(int type, byte [] name) throws IOException { |
1251 // clone because byte arrays are modifiable |
1251 // clone because byte arrays are modifiable |
1256 * A private method that adds a name (String or byte array) to the |
1256 * A private method that adds a name (String or byte array) to the |
1257 * pathToNames criterion. The {@code X509Certificate} must contain |
1257 * pathToNames criterion. The {@code X509Certificate} must contain |
1258 * the specified pathToName. |
1258 * the specified pathToName. |
1259 * |
1259 * |
1260 * @param type the name type (0-8, as specified in |
1260 * @param type the name type (0-8, as specified in |
1261 * RFC 3280, section 4.2.1.7) |
1261 * RFC 5280, section 4.2.1.6) |
1262 * @param name the name in string or byte array form |
1262 * @param name the name in string or byte array form |
1263 * @throws IOException if an encoding error occurs (incorrect form for DN) |
1263 * @throws IOException if an encoding error occurs (incorrect form for DN) |
1264 */ |
1264 */ |
1265 private void addPathToNameInternal(int type, Object name) |
1265 private void addPathToNameInternal(int type, Object name) |
1266 throws IOException { |
1266 throws IOException { |
1713 * must have subject and subject alternative names that |
1713 * must have subject and subject alternative names that |
1714 * meet the specified name constraints. |
1714 * meet the specified name constraints. |
1715 * <p> |
1715 * <p> |
1716 * The name constraints are returned as a byte array. This byte array |
1716 * The name constraints are returned as a byte array. This byte array |
1717 * contains the DER encoded form of the name constraints, as they |
1717 * contains the DER encoded form of the name constraints, as they |
1718 * would appear in the NameConstraints structure defined in RFC 3280 |
1718 * would appear in the NameConstraints structure defined in RFC 5280 |
1719 * and X.509. The ASN.1 notation for this structure is supplied in the |
1719 * and X.509. The ASN.1 notation for this structure is supplied in the |
1720 * documentation for |
1720 * documentation for |
1721 * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}. |
1721 * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}. |
1722 * <p> |
1722 * <p> |
1723 * Note that the byte array returned is cloned to protect against |
1723 * Note that the byte array returned is cloned to protect against |