1 /* |
1 /* |
2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
33 |
33 |
34 /** |
34 /** |
35 * This class implements the URIName as required by the GeneralNames |
35 * This class implements the URIName as required by the GeneralNames |
36 * ASN.1 object. |
36 * ASN.1 object. |
37 * <p> |
37 * <p> |
38 * [RFC3280] When the subjectAltName extension contains a URI, the name MUST be |
38 * [RFC5280] When the subjectAltName extension contains a URI, the name MUST be |
39 * stored in the uniformResourceIdentifier (an IA5String). The name MUST |
39 * stored in the uniformResourceIdentifier (an IA5String). The name MUST |
40 * be a non-relative URL, and MUST follow the URL syntax and encoding |
40 * be a non-relative URL, and MUST follow the URL syntax and encoding |
41 * rules specified in [RFC 1738]. The name must include both a scheme |
41 * rules specified in [RFC 3986]. The name must include both a scheme |
42 * (e.g., "http" or "ftp") and a scheme-specific-part. The scheme- |
42 * (e.g., "http" or "ftp") and a scheme-specific-part. The scheme- |
43 * specific-part must include a fully qualified domain name or IP |
43 * specific-part must include a fully qualified domain name or IP |
44 * address as the host. |
44 * address as the host. |
45 * <p> |
45 * <p> |
46 * As specified in [RFC 1738], the scheme name is not case-sensitive |
46 * As specified in [RFC 3986], the scheme name is not case-sensitive |
47 * (e.g., "http" is equivalent to "HTTP"). The host part is also not |
47 * (e.g., "http" is equivalent to "HTTP"). The host part is also not |
48 * case-sensitive, but other components of the scheme-specific-part may |
48 * case-sensitive, but other components of the scheme-specific-part may |
49 * be case-sensitive. When comparing URIs, conforming implementations |
49 * be case-sensitive. When comparing URIs, conforming implementations |
50 * MUST compare the scheme and host without regard to case, but assume |
50 * MUST compare the scheme and host without regard to case, but assume |
51 * the remainder of the scheme-specific-part is case sensitive. |
51 * the remainder of the scheme-specific-part is case sensitive. |
111 if (uri.getScheme() == null) { |
111 if (uri.getScheme() == null) { |
112 throw new IOException("URI name must include scheme:" + name); |
112 throw new IOException("URI name must include scheme:" + name); |
113 } |
113 } |
114 |
114 |
115 host = uri.getHost(); |
115 host = uri.getHost(); |
116 // RFC 3280 says that the host should be non-null, but we allow it to |
116 // RFC 5280 says that the host should be non-null, but we allow it to |
117 // be null because some widely deployed certificates contain CDP |
117 // be null because some widely deployed certificates contain CDP |
118 // extensions with URIs that have no hostname (see bugs 4802236 and |
118 // extensions with URIs that have no hostname (see bugs 4802236 and |
119 // 5107944). |
119 // 5107944). |
120 if (host != null) { |
120 if (host != null) { |
121 if (host.charAt(0) == '[') { |
121 if (host.charAt(0) == '[') { |
146 } |
146 } |
147 |
147 |
148 /** |
148 /** |
149 * Create the URIName object with the specified name constraint. URI |
149 * Create the URIName object with the specified name constraint. URI |
150 * name constraints syntax is different than SubjectAltNames, etc. See |
150 * name constraints syntax is different than SubjectAltNames, etc. See |
151 * 4.2.1.11 of RFC 3280. |
151 * 4.2.1.10 of RFC 5280. |
152 * |
152 * |
153 * @param value the URI name constraint |
153 * @param value the URI name constraint |
154 * @throws IOException if name is not a proper URI name constraint |
154 * @throws IOException if name is not a proper URI name constraint |
155 */ |
155 */ |
156 public static URIName nameConstraint(DerValue value) throws IOException { |
156 public static URIName nameConstraint(DerValue value) throws IOException { |
298 * is same type. |
298 * is same type. |
299 * </ul>. |
299 * </ul>. |
300 * These results are used in checking NameConstraints during |
300 * These results are used in checking NameConstraints during |
301 * certification path verification. |
301 * certification path verification. |
302 * <p> |
302 * <p> |
303 * RFC3280: For URIs, the constraint applies to the host part of the name. |
303 * RFC5280: For URIs, the constraint applies to the host part of the name. |
304 * The constraint may specify a host or a domain. Examples would be |
304 * The constraint may specify a host or a domain. Examples would be |
305 * "foo.bar.com"; and ".xyz.com". When the the constraint begins with |
305 * "foo.bar.com"; and ".xyz.com". When the the constraint begins with |
306 * a period, it may be expanded with one or more subdomains. That is, |
306 * a period, it may be expanded with one or more subdomains. That is, |
307 * the constraint ".xyz.com" is satisfied by both abc.xyz.com and |
307 * the constraint ".xyz.com" is satisfied by both abc.xyz.com and |
308 * abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied |
308 * abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied |