1 /* |
1 /* |
2 * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
38 * <p> |
38 * <p> |
39 * This class represents a "most-trusted CA", which is used as a trust anchor |
39 * This class represents a "most-trusted CA", which is used as a trust anchor |
40 * for validating X.509 certification paths. A most-trusted CA includes the |
40 * for validating X.509 certification paths. A most-trusted CA includes the |
41 * public key of the CA, the CA's name, and any constraints upon the set of |
41 * public key of the CA, the CA's name, and any constraints upon the set of |
42 * paths which may be validated using this key. These parameters can be |
42 * paths which may be validated using this key. These parameters can be |
43 * specified in the form of a trusted <code>X509Certificate</code> or as |
43 * specified in the form of a trusted {@code X509Certificate} or as |
44 * individual parameters. |
44 * individual parameters. |
45 * <p> |
45 * <p> |
46 * <b>Concurrent Access</b> |
46 * <b>Concurrent Access</b> |
47 * <p> |
47 * <p> |
48 * <p>All <code>TrustAnchor</code> objects must be immutable and |
48 * <p>All {@code TrustAnchor} objects must be immutable and |
49 * thread-safe. That is, multiple threads may concurrently invoke the |
49 * thread-safe. That is, multiple threads may concurrently invoke the |
50 * methods defined in this class on a single <code>TrustAnchor</code> |
50 * methods defined in this class on a single {@code TrustAnchor} |
51 * object (or more than one) with no ill effects. Requiring |
51 * object (or more than one) with no ill effects. Requiring |
52 * <code>TrustAnchor</code> objects to be immutable and thread-safe |
52 * {@code TrustAnchor} objects to be immutable and thread-safe |
53 * allows them to be passed around to various pieces of code without |
53 * allows them to be passed around to various pieces of code without |
54 * worrying about coordinating access. This stipulation applies to all |
54 * worrying about coordinating access. This stipulation applies to all |
55 * public fields and methods of this class and any added or overridden |
55 * public fields and methods of this class and any added or overridden |
56 * by subclasses. |
56 * by subclasses. |
57 * |
57 * |
69 private final X509Certificate trustedCert; |
69 private final X509Certificate trustedCert; |
70 private byte[] ncBytes; |
70 private byte[] ncBytes; |
71 private NameConstraintsExtension nc; |
71 private NameConstraintsExtension nc; |
72 |
72 |
73 /** |
73 /** |
74 * Creates an instance of <code>TrustAnchor</code> with the specified |
74 * Creates an instance of {@code TrustAnchor} with the specified |
75 * <code>X509Certificate</code> and optional name constraints, which |
75 * {@code X509Certificate} and optional name constraints, which |
76 * are intended to be used as additional constraints when validating |
76 * are intended to be used as additional constraints when validating |
77 * an X.509 certification path. |
77 * an X.509 certification path. |
78 * <p> |
78 * <p> |
79 * The name constraints are specified as a byte array. This byte array |
79 * The name constraints are specified as a byte array. This byte array |
80 * should contain the DER encoded form of the name constraints, as they |
80 * should contain the DER encoded form of the name constraints, as they |
81 * would appear in the NameConstraints structure defined in |
81 * would appear in the NameConstraints structure defined in |
82 * <a href="http://www.ietf.org/rfc/rfc3280">RFC 3280</a> |
82 * <a href="http://www.ietf.org/rfc/rfc3280">RFC 3280</a> |
83 * and X.509. The ASN.1 definition of this structure appears below. |
83 * and X.509. The ASN.1 definition of this structure appears below. |
84 * |
84 * |
85 * <pre><code> |
85 * <pre>{@code |
86 * NameConstraints ::= SEQUENCE { |
86 * NameConstraints ::= SEQUENCE { |
87 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
87 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
88 * excludedSubtrees [1] GeneralSubtrees OPTIONAL } |
88 * excludedSubtrees [1] GeneralSubtrees OPTIONAL } |
89 * |
89 * |
90 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree |
90 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree |
104 * directoryName [4] Name, |
104 * directoryName [4] Name, |
105 * ediPartyName [5] EDIPartyName, |
105 * ediPartyName [5] EDIPartyName, |
106 * uniformResourceIdentifier [6] IA5String, |
106 * uniformResourceIdentifier [6] IA5String, |
107 * iPAddress [7] OCTET STRING, |
107 * iPAddress [7] OCTET STRING, |
108 * registeredID [8] OBJECT IDENTIFIER} |
108 * registeredID [8] OBJECT IDENTIFIER} |
109 * </code></pre> |
109 * }</pre> |
110 * <p> |
110 * <p> |
111 * Note that the name constraints byte array supplied is cloned to protect |
111 * Note that the name constraints byte array supplied is cloned to protect |
112 * against subsequent modifications. |
112 * against subsequent modifications. |
113 * |
113 * |
114 * @param trustedCert a trusted <code>X509Certificate</code> |
114 * @param trustedCert a trusted {@code X509Certificate} |
115 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
115 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
116 * a NameConstraints extension to be used for checking name constraints. |
116 * a NameConstraints extension to be used for checking name constraints. |
117 * Only the value of the extension is included, not the OID or criticality |
117 * Only the value of the extension is included, not the OID or criticality |
118 * flag. Specify <code>null</code> to omit the parameter. |
118 * flag. Specify {@code null} to omit the parameter. |
119 * @throws IllegalArgumentException if the name constraints cannot be |
119 * @throws IllegalArgumentException if the name constraints cannot be |
120 * decoded |
120 * decoded |
121 * @throws NullPointerException if the specified |
121 * @throws NullPointerException if the specified |
122 * <code>X509Certificate</code> is <code>null</code> |
122 * {@code X509Certificate} is {@code null} |
123 */ |
123 */ |
124 public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) |
124 public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) |
125 { |
125 { |
126 if (trustedCert == null) |
126 if (trustedCert == null) |
127 throw new NullPointerException("the trustedCert parameter must " + |
127 throw new NullPointerException("the trustedCert parameter must " + |
132 this.caPrincipal = null; |
132 this.caPrincipal = null; |
133 setNameConstraints(nameConstraints); |
133 setNameConstraints(nameConstraints); |
134 } |
134 } |
135 |
135 |
136 /** |
136 /** |
137 * Creates an instance of <code>TrustAnchor</code> where the |
137 * Creates an instance of {@code TrustAnchor} where the |
138 * most-trusted CA is specified as an X500Principal and public key. |
138 * most-trusted CA is specified as an X500Principal and public key. |
139 * Name constraints are an optional parameter, and are intended to be used |
139 * Name constraints are an optional parameter, and are intended to be used |
140 * as additional constraints when validating an X.509 certification path. |
140 * as additional constraints when validating an X.509 certification path. |
141 * <p> |
141 * <p> |
142 * The name constraints are specified as a byte array. This byte array |
142 * The name constraints are specified as a byte array. This byte array |
153 * @param caPrincipal the name of the most-trusted CA as X500Principal |
153 * @param caPrincipal the name of the most-trusted CA as X500Principal |
154 * @param pubKey the public key of the most-trusted CA |
154 * @param pubKey the public key of the most-trusted CA |
155 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
155 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
156 * a NameConstraints extension to be used for checking name constraints. |
156 * a NameConstraints extension to be used for checking name constraints. |
157 * Only the value of the extension is included, not the OID or criticality |
157 * Only the value of the extension is included, not the OID or criticality |
158 * flag. Specify <code>null</code> to omit the parameter. |
158 * flag. Specify {@code null} to omit the parameter. |
159 * @throws NullPointerException if the specified <code>caPrincipal</code> or |
159 * @throws NullPointerException if the specified {@code caPrincipal} or |
160 * <code>pubKey</code> parameter is <code>null</code> |
160 * {@code pubKey} parameter is {@code null} |
161 * @since 1.5 |
161 * @since 1.5 |
162 */ |
162 */ |
163 public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, |
163 public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, |
164 byte[] nameConstraints) { |
164 byte[] nameConstraints) { |
165 if ((caPrincipal == null) || (pubKey == null)) { |
165 if ((caPrincipal == null) || (pubKey == null)) { |
171 this.pubKey = pubKey; |
171 this.pubKey = pubKey; |
172 setNameConstraints(nameConstraints); |
172 setNameConstraints(nameConstraints); |
173 } |
173 } |
174 |
174 |
175 /** |
175 /** |
176 * Creates an instance of <code>TrustAnchor</code> where the |
176 * Creates an instance of {@code TrustAnchor} where the |
177 * most-trusted CA is specified as a distinguished name and public key. |
177 * most-trusted CA is specified as a distinguished name and public key. |
178 * Name constraints are an optional parameter, and are intended to be used |
178 * Name constraints are an optional parameter, and are intended to be used |
179 * as additional constraints when validating an X.509 certification path. |
179 * as additional constraints when validating an X.509 certification path. |
180 * <p> |
180 * <p> |
181 * The name constraints are specified as a byte array. This byte array |
181 * The name constraints are specified as a byte array. This byte array |
189 * Note that the name constraints byte array supplied here is cloned to |
189 * Note that the name constraints byte array supplied here is cloned to |
190 * protect against subsequent modifications. |
190 * protect against subsequent modifications. |
191 * |
191 * |
192 * @param caName the X.500 distinguished name of the most-trusted CA in |
192 * @param caName the X.500 distinguished name of the most-trusted CA in |
193 * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> |
193 * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> |
194 * <code>String</code> format |
194 * {@code String} format |
195 * @param pubKey the public key of the most-trusted CA |
195 * @param pubKey the public key of the most-trusted CA |
196 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
196 * @param nameConstraints a byte array containing the ASN.1 DER encoding of |
197 * a NameConstraints extension to be used for checking name constraints. |
197 * a NameConstraints extension to be used for checking name constraints. |
198 * Only the value of the extension is included, not the OID or criticality |
198 * Only the value of the extension is included, not the OID or criticality |
199 * flag. Specify <code>null</code> to omit the parameter. |
199 * flag. Specify {@code null} to omit the parameter. |
200 * @throws IllegalArgumentException if the specified <code> |
200 * @throws IllegalArgumentException if the specified |
201 * caName</code> parameter is empty <code>(caName.length() == 0)</code> |
201 * {@code caName} parameter is empty {@code (caName.length() == 0)} |
202 * or incorrectly formatted or the name constraints cannot be decoded |
202 * or incorrectly formatted or the name constraints cannot be decoded |
203 * @throws NullPointerException if the specified <code>caName</code> or |
203 * @throws NullPointerException if the specified {@code caName} or |
204 * <code>pubKey</code> parameter is <code>null</code> |
204 * {@code pubKey} parameter is {@code null} |
205 */ |
205 */ |
206 public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints) |
206 public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints) |
207 { |
207 { |
208 if (pubKey == null) |
208 if (pubKey == null) |
209 throw new NullPointerException("the pubKey parameter must be " + |
209 throw new NullPointerException("the pubKey parameter must be " + |
223 } |
223 } |
224 |
224 |
225 /** |
225 /** |
226 * Returns the most-trusted CA certificate. |
226 * Returns the most-trusted CA certificate. |
227 * |
227 * |
228 * @return a trusted <code>X509Certificate</code> or <code>null</code> |
228 * @return a trusted {@code X509Certificate} or {@code null} |
229 * if the trust anchor was not specified as a trusted certificate |
229 * if the trust anchor was not specified as a trusted certificate |
230 */ |
230 */ |
231 public final X509Certificate getTrustedCert() { |
231 public final X509Certificate getTrustedCert() { |
232 return this.trustedCert; |
232 return this.trustedCert; |
233 } |
233 } |
234 |
234 |
235 /** |
235 /** |
236 * Returns the name of the most-trusted CA as an X500Principal. |
236 * Returns the name of the most-trusted CA as an X500Principal. |
237 * |
237 * |
238 * @return the X.500 distinguished name of the most-trusted CA, or |
238 * @return the X.500 distinguished name of the most-trusted CA, or |
239 * <code>null</code> if the trust anchor was not specified as a trusted |
239 * {@code null} if the trust anchor was not specified as a trusted |
240 * public key and name or X500Principal pair |
240 * public key and name or X500Principal pair |
241 * @since 1.5 |
241 * @since 1.5 |
242 */ |
242 */ |
243 public final X500Principal getCA() { |
243 public final X500Principal getCA() { |
244 return this.caPrincipal; |
244 return this.caPrincipal; |
245 } |
245 } |
246 |
246 |
247 /** |
247 /** |
248 * Returns the name of the most-trusted CA in RFC 2253 <code>String</code> |
248 * Returns the name of the most-trusted CA in RFC 2253 {@code String} |
249 * format. |
249 * format. |
250 * |
250 * |
251 * @return the X.500 distinguished name of the most-trusted CA, or |
251 * @return the X.500 distinguished name of the most-trusted CA, or |
252 * <code>null</code> if the trust anchor was not specified as a trusted |
252 * {@code null} if the trust anchor was not specified as a trusted |
253 * public key and name or X500Principal pair |
253 * public key and name or X500Principal pair |
254 */ |
254 */ |
255 public final String getCAName() { |
255 public final String getCAName() { |
256 return this.caName; |
256 return this.caName; |
257 } |
257 } |
258 |
258 |
259 /** |
259 /** |
260 * Returns the public key of the most-trusted CA. |
260 * Returns the public key of the most-trusted CA. |
261 * |
261 * |
262 * @return the public key of the most-trusted CA, or <code>null</code> |
262 * @return the public key of the most-trusted CA, or {@code null} |
263 * if the trust anchor was not specified as a trusted public key and name |
263 * if the trust anchor was not specified as a trusted public key and name |
264 * or X500Principal pair |
264 * or X500Principal pair |
265 */ |
265 */ |
266 public final PublicKey getCAPublicKey() { |
266 public final PublicKey getCAPublicKey() { |
267 return this.pubKey; |
267 return this.pubKey; |
304 * Note that the byte array returned is cloned to protect against |
304 * Note that the byte array returned is cloned to protect against |
305 * subsequent modifications. |
305 * subsequent modifications. |
306 * |
306 * |
307 * @return a byte array containing the ASN.1 DER encoding of |
307 * @return a byte array containing the ASN.1 DER encoding of |
308 * a NameConstraints extension used for checking name constraints, |
308 * a NameConstraints extension used for checking name constraints, |
309 * or <code>null</code> if not set. |
309 * or {@code null} if not set. |
310 */ |
310 */ |
311 public final byte [] getNameConstraints() { |
311 public final byte [] getNameConstraints() { |
312 return ncBytes == null ? null : ncBytes.clone(); |
312 return ncBytes == null ? null : ncBytes.clone(); |
313 } |
313 } |
314 |
314 |
315 /** |
315 /** |
316 * Returns a formatted string describing the <code>TrustAnchor</code>. |
316 * Returns a formatted string describing the {@code TrustAnchor}. |
317 * |
317 * |
318 * @return a formatted string describing the <code>TrustAnchor</code> |
318 * @return a formatted string describing the {@code TrustAnchor} |
319 */ |
319 */ |
320 public String toString() { |
320 public String toString() { |
321 StringBuffer sb = new StringBuffer(); |
321 StringBuffer sb = new StringBuffer(); |
322 sb.append("[\n"); |
322 sb.append("[\n"); |
323 if (pubKey != null) { |
323 if (pubKey != null) { |