37 import sun.security.util.DerValue; |
37 import sun.security.util.DerValue; |
38 import sun.security.util.ObjectIdentifier; |
38 import sun.security.util.ObjectIdentifier; |
39 import sun.security.x509.*; |
39 import sun.security.x509.*; |
40 |
40 |
41 /** |
41 /** |
42 * A <code>CertSelector</code> that selects <code>X509Certificates</code> that |
42 * A {@code CertSelector} that selects {@code X509Certificates} that |
43 * match all specified criteria. This class is particularly useful when |
43 * match all specified criteria. This class is particularly useful when |
44 * selecting certificates from a <code>CertStore</code> to build a |
44 * selecting certificates from a {@code CertStore} to build a |
45 * PKIX-compliant certification path. |
45 * PKIX-compliant certification path. |
46 * <p> |
46 * <p> |
47 * When first constructed, an <code>X509CertSelector</code> has no criteria |
47 * When first constructed, an {@code X509CertSelector} has no criteria |
48 * enabled and each of the <code>get</code> methods return a default value |
48 * enabled and each of the {@code get} methods return a default value |
49 * (<code>null</code>, or <code>-1</code> for the {@link #getBasicConstraints |
49 * ({@code null}, or {@code -1} for the {@link #getBasicConstraints |
50 * getBasicConstraints} method). Therefore, the {@link #match match} |
50 * getBasicConstraints} method). Therefore, the {@link #match match} |
51 * method would return <code>true</code> for any <code>X509Certificate</code>. |
51 * method would return {@code true} for any {@code X509Certificate}. |
52 * Typically, several criteria are enabled (by calling |
52 * Typically, several criteria are enabled (by calling |
53 * {@link #setIssuer setIssuer} or |
53 * {@link #setIssuer setIssuer} or |
54 * {@link #setKeyUsage setKeyUsage}, for instance) and then the |
54 * {@link #setKeyUsage setKeyUsage}, for instance) and then the |
55 * <code>X509CertSelector</code> is passed to |
55 * {@code X509CertSelector} is passed to |
56 * {@link CertStore#getCertificates CertStore.getCertificates} or some similar |
56 * {@link CertStore#getCertificates CertStore.getCertificates} or some similar |
57 * method. |
57 * method. |
58 * <p> |
58 * <p> |
59 * Several criteria can be enabled (by calling {@link #setIssuer setIssuer} |
59 * Several criteria can be enabled (by calling {@link #setIssuer setIssuer} |
60 * and {@link #setSerialNumber setSerialNumber}, |
60 * and {@link #setSerialNumber setSerialNumber}, |
61 * for example) such that the <code>match</code> method |
61 * for example) such that the {@code match} method |
62 * usually uniquely matches a single <code>X509Certificate</code>. We say |
62 * usually uniquely matches a single {@code X509Certificate}. We say |
63 * usually, since it is possible for two issuing CAs to have the same |
63 * usually, since it is possible for two issuing CAs to have the same |
64 * distinguished name and each issue a certificate with the same serial |
64 * distinguished name and each issue a certificate with the same serial |
65 * number. Other unique combinations include the issuer, subject, |
65 * number. Other unique combinations include the issuer, subject, |
66 * subjectKeyIdentifier and/or the subjectPublicKey criteria. |
66 * subjectKeyIdentifier and/or the subjectPublicKey criteria. |
67 * <p> |
67 * <p> |
147 static final int NAME_URI = 6; |
147 static final int NAME_URI = 6; |
148 static final int NAME_IP = 7; |
148 static final int NAME_IP = 7; |
149 static final int NAME_OID = 8; |
149 static final int NAME_OID = 8; |
150 |
150 |
151 /** |
151 /** |
152 * Creates an <code>X509CertSelector</code>. Initially, no criteria are set |
152 * Creates an {@code X509CertSelector}. Initially, no criteria are set |
153 * so any <code>X509Certificate</code> will match. |
153 * so any {@code X509Certificate} will match. |
154 */ |
154 */ |
155 public X509CertSelector() { |
155 public X509CertSelector() { |
156 // empty |
156 // empty |
157 } |
157 } |
158 |
158 |
159 /** |
159 /** |
160 * Sets the certificateEquals criterion. The specified |
160 * Sets the certificateEquals criterion. The specified |
161 * <code>X509Certificate</code> must be equal to the |
161 * {@code X509Certificate} must be equal to the |
162 * <code>X509Certificate</code> passed to the <code>match</code> method. |
162 * {@code X509Certificate} passed to the {@code match} method. |
163 * If <code>null</code>, then this check is not applied. |
163 * If {@code null}, then this check is not applied. |
164 * |
164 * |
165 * <p>This method is particularly useful when it is necessary to |
165 * <p>This method is particularly useful when it is necessary to |
166 * match a single certificate. Although other criteria can be specified |
166 * match a single certificate. Although other criteria can be specified |
167 * in conjunction with the certificateEquals criterion, it is usually not |
167 * in conjunction with the certificateEquals criterion, it is usually not |
168 * practical or necessary. |
168 * practical or necessary. |
169 * |
169 * |
170 * @param cert the <code>X509Certificate</code> to match (or |
170 * @param cert the {@code X509Certificate} to match (or |
171 * <code>null</code>) |
171 * {@code null}) |
172 * @see #getCertificate |
172 * @see #getCertificate |
173 */ |
173 */ |
174 public void setCertificate(X509Certificate cert) { |
174 public void setCertificate(X509Certificate cert) { |
175 x509Cert = cert; |
175 x509Cert = cert; |
176 } |
176 } |
177 |
177 |
178 /** |
178 /** |
179 * Sets the serialNumber criterion. The specified serial number |
179 * Sets the serialNumber criterion. The specified serial number |
180 * must match the certificate serial number in the |
180 * must match the certificate serial number in the |
181 * <code>X509Certificate</code>. If <code>null</code>, any certificate |
181 * {@code X509Certificate}. If {@code null}, any certificate |
182 * serial number will do. |
182 * serial number will do. |
183 * |
183 * |
184 * @param serial the certificate serial number to match |
184 * @param serial the certificate serial number to match |
185 * (or <code>null</code>) |
185 * (or {@code null}) |
186 * @see #getSerialNumber |
186 * @see #getSerialNumber |
187 */ |
187 */ |
188 public void setSerialNumber(BigInteger serial) { |
188 public void setSerialNumber(BigInteger serial) { |
189 serialNumber = serial; |
189 serialNumber = serial; |
190 } |
190 } |
191 |
191 |
192 /** |
192 /** |
193 * Sets the issuer criterion. The specified distinguished name |
193 * Sets the issuer criterion. The specified distinguished name |
194 * must match the issuer distinguished name in the |
194 * must match the issuer distinguished name in the |
195 * <code>X509Certificate</code>. If <code>null</code>, any issuer |
195 * {@code X509Certificate}. If {@code null}, any issuer |
196 * distinguished name will do. |
196 * distinguished name will do. |
197 * |
197 * |
198 * @param issuer a distinguished name as X500Principal |
198 * @param issuer a distinguished name as X500Principal |
199 * (or <code>null</code>) |
199 * (or {@code null}) |
200 * @since 1.5 |
200 * @since 1.5 |
201 */ |
201 */ |
202 public void setIssuer(X500Principal issuer) { |
202 public void setIssuer(X500Principal issuer) { |
203 this.issuer = issuer; |
203 this.issuer = issuer; |
204 } |
204 } |
345 } |
345 } |
346 } |
346 } |
347 |
347 |
348 /** |
348 /** |
349 * Sets the subjectKeyIdentifier criterion. The |
349 * Sets the subjectKeyIdentifier criterion. The |
350 * <code>X509Certificate</code> must contain a SubjectKeyIdentifier |
350 * {@code X509Certificate} must contain a SubjectKeyIdentifier |
351 * extension for which the contents of the extension |
351 * extension for which the contents of the extension |
352 * matches the specified criterion value. |
352 * matches the specified criterion value. |
353 * If the criterion value is <code>null</code>, no |
353 * If the criterion value is {@code null}, no |
354 * subjectKeyIdentifier check will be done. |
354 * subjectKeyIdentifier check will be done. |
355 * <p> |
355 * <p> |
356 * If <code>subjectKeyID</code> is not <code>null</code>, it |
356 * If {@code subjectKeyID} is not {@code null}, it |
357 * should contain a single DER encoded value corresponding to the contents |
357 * should contain a single DER encoded value corresponding to the contents |
358 * of the extension value (not including the object identifier, |
358 * of the extension value (not including the object identifier, |
359 * criticality setting, and encapsulating OCTET STRING) |
359 * criticality setting, and encapsulating OCTET STRING) |
360 * for a SubjectKeyIdentifier extension. |
360 * for a SubjectKeyIdentifier extension. |
361 * The ASN.1 notation for this structure follows. |
361 * The ASN.1 notation for this structure follows. |
362 * <p> |
362 * <p> |
363 * <pre><code> |
363 * <pre>{@code |
364 * SubjectKeyIdentifier ::= KeyIdentifier |
364 * SubjectKeyIdentifier ::= KeyIdentifier |
365 * |
365 * |
366 * KeyIdentifier ::= OCTET STRING |
366 * KeyIdentifier ::= OCTET STRING |
367 * </code></pre> |
367 * }</pre> |
368 * <p> |
368 * <p> |
369 * Since the format of subject key identifiers is not mandated by |
369 * Since the format of subject key identifiers is not mandated by |
370 * any standard, subject key identifiers are not parsed by the |
370 * any standard, subject key identifiers are not parsed by the |
371 * <code>X509CertSelector</code>. Instead, the values are compared using |
371 * {@code X509CertSelector}. Instead, the values are compared using |
372 * a byte-by-byte comparison. |
372 * a byte-by-byte comparison. |
373 * <p> |
373 * <p> |
374 * Note that the byte array supplied here is cloned to protect against |
374 * Note that the byte array supplied here is cloned to protect against |
375 * subsequent modifications. |
375 * subsequent modifications. |
376 * |
376 * |
377 * @param subjectKeyID the subject key identifier (or <code>null</code>) |
377 * @param subjectKeyID the subject key identifier (or {@code null}) |
378 * @see #getSubjectKeyIdentifier |
378 * @see #getSubjectKeyIdentifier |
379 */ |
379 */ |
380 public void setSubjectKeyIdentifier(byte[] subjectKeyID) { |
380 public void setSubjectKeyIdentifier(byte[] subjectKeyID) { |
381 if (subjectKeyID == null) { |
381 if (subjectKeyID == null) { |
382 this.subjectKeyID = null; |
382 this.subjectKeyID = null; |
385 } |
385 } |
386 } |
386 } |
387 |
387 |
388 /** |
388 /** |
389 * Sets the authorityKeyIdentifier criterion. The |
389 * Sets the authorityKeyIdentifier criterion. The |
390 * <code>X509Certificate</code> must contain an |
390 * {@code X509Certificate} must contain an |
391 * AuthorityKeyIdentifier extension for which the contents of the |
391 * AuthorityKeyIdentifier extension for which the contents of the |
392 * extension value matches the specified criterion value. |
392 * extension value matches the specified criterion value. |
393 * If the criterion value is <code>null</code>, no |
393 * If the criterion value is {@code null}, no |
394 * authorityKeyIdentifier check will be done. |
394 * authorityKeyIdentifier check will be done. |
395 * <p> |
395 * <p> |
396 * If <code>authorityKeyID</code> is not <code>null</code>, it |
396 * If {@code authorityKeyID} is not {@code null}, it |
397 * should contain a single DER encoded value corresponding to the contents |
397 * should contain a single DER encoded value corresponding to the contents |
398 * of the extension value (not including the object identifier, |
398 * of the extension value (not including the object identifier, |
399 * criticality setting, and encapsulating OCTET STRING) |
399 * criticality setting, and encapsulating OCTET STRING) |
400 * for an AuthorityKeyIdentifier extension. |
400 * for an AuthorityKeyIdentifier extension. |
401 * The ASN.1 notation for this structure follows. |
401 * The ASN.1 notation for this structure follows. |
402 * <p> |
402 * <p> |
403 * <pre><code> |
403 * <pre>{@code |
404 * AuthorityKeyIdentifier ::= SEQUENCE { |
404 * AuthorityKeyIdentifier ::= SEQUENCE { |
405 * keyIdentifier [0] KeyIdentifier OPTIONAL, |
405 * keyIdentifier [0] KeyIdentifier OPTIONAL, |
406 * authorityCertIssuer [1] GeneralNames OPTIONAL, |
406 * authorityCertIssuer [1] GeneralNames OPTIONAL, |
407 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } |
407 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } |
408 * |
408 * |
409 * KeyIdentifier ::= OCTET STRING |
409 * KeyIdentifier ::= OCTET STRING |
410 * </code></pre> |
410 * }</pre> |
411 * <p> |
411 * <p> |
412 * Authority key identifiers are not parsed by the |
412 * Authority key identifiers are not parsed by the |
413 * <code>X509CertSelector</code>. Instead, the values are |
413 * {@code X509CertSelector}. Instead, the values are |
414 * compared using a byte-by-byte comparison. |
414 * compared using a byte-by-byte comparison. |
415 * <p> |
415 * <p> |
416 * When the <code>keyIdentifier</code> field of |
416 * When the {@code keyIdentifier} field of |
417 * <code>AuthorityKeyIdentifier</code> is populated, the value is |
417 * {@code AuthorityKeyIdentifier} is populated, the value is |
418 * usually taken from the <code>SubjectKeyIdentifier</code> extension |
418 * usually taken from the {@code SubjectKeyIdentifier} extension |
419 * in the issuer's certificate. Note, however, that the result of |
419 * in the issuer's certificate. Note, however, that the result of |
420 * <code>X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object |
420 * {@code X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object |
421 * Identifier>)</code> on the issuer's certificate may NOT be used |
421 * Identifier>)} on the issuer's certificate may NOT be used |
422 * directly as the input to <code>setAuthorityKeyIdentifier</code>. |
422 * directly as the input to {@code setAuthorityKeyIdentifier}. |
423 * This is because the SubjectKeyIdentifier contains |
423 * This is because the SubjectKeyIdentifier contains |
424 * only a KeyIdentifier OCTET STRING, and not a SEQUENCE of |
424 * only a KeyIdentifier OCTET STRING, and not a SEQUENCE of |
425 * KeyIdentifier, GeneralNames, and CertificateSerialNumber. |
425 * KeyIdentifier, GeneralNames, and CertificateSerialNumber. |
426 * In order to use the extension value of the issuer certificate's |
426 * In order to use the extension value of the issuer certificate's |
427 * <code>SubjectKeyIdentifier</code> |
427 * {@code SubjectKeyIdentifier} |
428 * extension, it will be necessary to extract the value of the embedded |
428 * extension, it will be necessary to extract the value of the embedded |
429 * <code>KeyIdentifier</code> OCTET STRING, then DER encode this OCTET |
429 * {@code KeyIdentifier} OCTET STRING, then DER encode this OCTET |
430 * STRING inside a SEQUENCE. |
430 * STRING inside a SEQUENCE. |
431 * For more details on SubjectKeyIdentifier, see |
431 * For more details on SubjectKeyIdentifier, see |
432 * {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}. |
432 * {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}. |
433 * <p> |
433 * <p> |
434 * Note also that the byte array supplied here is cloned to protect against |
434 * Note also that the byte array supplied here is cloned to protect against |
435 * subsequent modifications. |
435 * subsequent modifications. |
436 * |
436 * |
437 * @param authorityKeyID the authority key identifier |
437 * @param authorityKeyID the authority key identifier |
438 * (or <code>null</code>) |
438 * (or {@code null}) |
439 * @see #getAuthorityKeyIdentifier |
439 * @see #getAuthorityKeyIdentifier |
440 */ |
440 */ |
441 public void setAuthorityKeyIdentifier(byte[] authorityKeyID) { |
441 public void setAuthorityKeyIdentifier(byte[] authorityKeyID) { |
442 if (authorityKeyID == null) { |
442 if (authorityKeyID == null) { |
443 this.authorityKeyID = null; |
443 this.authorityKeyID = null; |
527 subjectPublicKeyBytes = key.getEncoded(); |
527 subjectPublicKeyBytes = key.getEncoded(); |
528 } |
528 } |
529 } |
529 } |
530 |
530 |
531 /** |
531 /** |
532 * Sets the subjectPublicKey criterion. The <code>X509Certificate</code> |
532 * Sets the subjectPublicKey criterion. The {@code X509Certificate} |
533 * must contain the specified subject public key. If <code>null</code>, |
533 * must contain the specified subject public key. If {@code null}, |
534 * no subjectPublicKey check will be done. |
534 * no subjectPublicKey check will be done. |
535 * <p> |
535 * <p> |
536 * Because this method allows the public key to be specified as a byte |
536 * Because this method allows the public key to be specified as a byte |
537 * array, it may be used for unknown key types. |
537 * array, it may be used for unknown key types. |
538 * <p> |
538 * <p> |
539 * If <code>key</code> is not <code>null</code>, it should contain a |
539 * If {@code key} is not {@code null}, it should contain a |
540 * single DER encoded SubjectPublicKeyInfo structure, as defined in X.509. |
540 * single DER encoded SubjectPublicKeyInfo structure, as defined in X.509. |
541 * The ASN.1 notation for this structure is as follows. |
541 * The ASN.1 notation for this structure is as follows. |
542 * <pre><code> |
542 * <pre>{@code |
543 * SubjectPublicKeyInfo ::= SEQUENCE { |
543 * SubjectPublicKeyInfo ::= SEQUENCE { |
544 * algorithm AlgorithmIdentifier, |
544 * algorithm AlgorithmIdentifier, |
545 * subjectPublicKey BIT STRING } |
545 * subjectPublicKey BIT STRING } |
546 * |
546 * |
547 * AlgorithmIdentifier ::= SEQUENCE { |
547 * AlgorithmIdentifier ::= SEQUENCE { |
548 * algorithm OBJECT IDENTIFIER, |
548 * algorithm OBJECT IDENTIFIER, |
549 * parameters ANY DEFINED BY algorithm OPTIONAL } |
549 * parameters ANY DEFINED BY algorithm OPTIONAL } |
550 * -- contains a value of the type |
550 * -- contains a value of the type |
551 * -- registered for use with the |
551 * -- registered for use with the |
552 * -- algorithm object identifier value |
552 * -- algorithm object identifier value |
553 * </code></pre> |
553 * }</pre> |
554 * <p> |
554 * <p> |
555 * Note that the byte array supplied here is cloned to protect against |
555 * Note that the byte array supplied here is cloned to protect against |
556 * subsequent modifications. |
556 * subsequent modifications. |
557 * |
557 * |
558 * @param key a byte array containing the subject public key in ASN.1 DER |
558 * @param key a byte array containing the subject public key in ASN.1 DER |
559 * form (or <code>null</code>) |
559 * form (or {@code null}) |
560 * @throws IOException if an encoding error occurs (incorrect form for |
560 * @throws IOException if an encoding error occurs (incorrect form for |
561 * subject public key) |
561 * subject public key) |
562 * @see #getSubjectPublicKey |
562 * @see #getSubjectPublicKey |
563 */ |
563 */ |
564 public void setSubjectPublicKey(byte[] key) throws IOException { |
564 public void setSubjectPublicKey(byte[] key) throws IOException { |
593 this.keyUsage = keyUsage.clone(); |
593 this.keyUsage = keyUsage.clone(); |
594 } |
594 } |
595 } |
595 } |
596 |
596 |
597 /** |
597 /** |
598 * Sets the extendedKeyUsage criterion. The <code>X509Certificate</code> |
598 * Sets the extendedKeyUsage criterion. The {@code X509Certificate} |
599 * must allow the specified key purposes in its extended key usage |
599 * must allow the specified key purposes in its extended key usage |
600 * extension. If <code>keyPurposeSet</code> is empty or <code>null</code>, |
600 * extension. If {@code keyPurposeSet} is empty or {@code null}, |
601 * no extendedKeyUsage check will be done. Note that an |
601 * no extendedKeyUsage check will be done. Note that an |
602 * <code>X509Certificate</code> that has no extendedKeyUsage extension |
602 * {@code X509Certificate} that has no extendedKeyUsage extension |
603 * implicitly allows all key purposes. |
603 * implicitly allows all key purposes. |
604 * <p> |
604 * <p> |
605 * Note that the <code>Set</code> is cloned to protect against |
605 * Note that the {@code Set} is cloned to protect against |
606 * subsequent modifications. |
606 * subsequent modifications. |
607 * |
607 * |
608 * @param keyPurposeSet a <code>Set</code> of key purpose OIDs in string |
608 * @param keyPurposeSet a {@code Set} of key purpose OIDs in string |
609 * format (or <code>null</code>). Each OID is represented by a set of |
609 * format (or {@code null}). Each OID is represented by a set of |
610 * nonnegative integers separated by periods. |
610 * nonnegative integers separated by periods. |
611 * @throws IOException if the OID is invalid, such as |
611 * @throws IOException if the OID is invalid, such as |
612 * the first component being not 0, 1 or 2 or the second component |
612 * the first component being not 0, 1 or 2 or the second component |
613 * being greater than 39. |
613 * being greater than 39. |
614 * @see #getExtendedKeyUsage |
614 * @see #getExtendedKeyUsage |
630 /** |
630 /** |
631 * Enables/disables matching all of the subjectAlternativeNames |
631 * Enables/disables matching all of the subjectAlternativeNames |
632 * specified in the {@link #setSubjectAlternativeNames |
632 * specified in the {@link #setSubjectAlternativeNames |
633 * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
633 * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
634 * addSubjectAlternativeName} methods. If enabled, |
634 * addSubjectAlternativeName} methods. If enabled, |
635 * the <code>X509Certificate</code> must contain all of the |
635 * the {@code X509Certificate} must contain all of the |
636 * specified subject alternative names. If disabled, the |
636 * specified subject alternative names. If disabled, the |
637 * <code>X509Certificate</code> must contain at least one of the |
637 * {@code X509Certificate} must contain at least one of the |
638 * specified subject alternative names. |
638 * specified subject alternative names. |
639 * |
639 * |
640 * <p>The matchAllNames flag is <code>true</code> by default. |
640 * <p>The matchAllNames flag is {@code true} by default. |
641 * |
641 * |
642 * @param matchAllNames if <code>true</code>, the flag is enabled; |
642 * @param matchAllNames if {@code true}, the flag is enabled; |
643 * if <code>false</code>, the flag is disabled. |
643 * if {@code false}, the flag is disabled. |
644 * @see #getMatchAllSubjectAltNames |
644 * @see #getMatchAllSubjectAltNames |
645 */ |
645 */ |
646 public void setMatchAllSubjectAltNames(boolean matchAllNames) { |
646 public void setMatchAllSubjectAltNames(boolean matchAllNames) { |
647 this.matchAllSubjectAltNames = matchAllNames; |
647 this.matchAllSubjectAltNames = matchAllNames; |
648 } |
648 } |
649 |
649 |
650 /** |
650 /** |
651 * Sets the subjectAlternativeNames criterion. The |
651 * Sets the subjectAlternativeNames criterion. The |
652 * <code>X509Certificate</code> must contain all or at least one of the |
652 * {@code X509Certificate} must contain all or at least one of the |
653 * specified subjectAlternativeNames, depending on the value of |
653 * specified subjectAlternativeNames, depending on the value of |
654 * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
654 * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
655 * setMatchAllSubjectAltNames}). |
655 * setMatchAllSubjectAltNames}). |
656 * <p> |
656 * <p> |
657 * This method allows the caller to specify, with a single method call, |
657 * This method allows the caller to specify, with a single method call, |
658 * the complete set of subject alternative names for the |
658 * the complete set of subject alternative names for the |
659 * subjectAlternativeNames criterion. The specified value replaces |
659 * subjectAlternativeNames criterion. The specified value replaces |
660 * the previous value for the subjectAlternativeNames criterion. |
660 * the previous value for the subjectAlternativeNames criterion. |
661 * <p> |
661 * <p> |
662 * The <code>names</code> parameter (if not <code>null</code>) is a |
662 * The {@code names} parameter (if not {@code null}) is a |
663 * <code>Collection</code> with one |
663 * {@code Collection} with one |
664 * entry for each name to be included in the subject alternative name |
664 * entry for each name to be included in the subject alternative name |
665 * criterion. Each entry is a <code>List</code> whose first entry is an |
665 * criterion. Each entry is a {@code List} whose first entry is an |
666 * <code>Integer</code> (the name type, 0-8) and whose second |
666 * {@code Integer} (the name type, 0-8) and whose second |
667 * entry is a <code>String</code> or a byte array (the name, in |
667 * entry is a {@code String} or a byte array (the name, in |
668 * string or ASN.1 DER encoded form, respectively). |
668 * string or ASN.1 DER encoded form, respectively). |
669 * There can be multiple names of the same type. If <code>null</code> |
669 * There can be multiple names of the same type. If {@code null} |
670 * is supplied as the value for this argument, no |
670 * is supplied as the value for this argument, no |
671 * subjectAlternativeNames check will be performed. |
671 * subjectAlternativeNames check will be performed. |
672 * <p> |
672 * <p> |
673 * Each subject alternative name in the <code>Collection</code> |
673 * Each subject alternative name in the {@code Collection} |
674 * may be specified either as a <code>String</code> or as an ASN.1 encoded |
674 * may be specified either as a {@code String} or as an ASN.1 encoded |
675 * byte array. For more details about the formats used, see |
675 * byte array. For more details about the formats used, see |
676 * {@link #addSubjectAlternativeName(int type, String name) |
676 * {@link #addSubjectAlternativeName(int type, String name) |
677 * addSubjectAlternativeName(int type, String name)} and |
677 * addSubjectAlternativeName(int type, String name)} and |
678 * {@link #addSubjectAlternativeName(int type, byte [] name) |
678 * {@link #addSubjectAlternativeName(int type, byte [] name) |
679 * addSubjectAlternativeName(int type, byte [] name)}. |
679 * addSubjectAlternativeName(int type, byte [] name)}. |
680 * <p> |
680 * <p> |
681 * <strong>Note:</strong> for distinguished names, specify the byte |
681 * <strong>Note:</strong> for distinguished names, specify the byte |
682 * array form instead of the String form. See the note in |
682 * array form instead of the String form. See the note in |
683 * {@link #addSubjectAlternativeName(int, String)} for more information. |
683 * {@link #addSubjectAlternativeName(int, String)} for more information. |
684 * <p> |
684 * <p> |
685 * Note that the <code>names</code> parameter can contain duplicate |
685 * Note that the {@code names} parameter can contain duplicate |
686 * names (same name and name type), but they may be removed from the |
686 * names (same name and name type), but they may be removed from the |
687 * <code>Collection</code> of names returned by the |
687 * {@code Collection} of names returned by the |
688 * {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method. |
688 * {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method. |
689 * <p> |
689 * <p> |
690 * Note that a deep copy is performed on the <code>Collection</code> to |
690 * Note that a deep copy is performed on the {@code Collection} to |
691 * protect against subsequent modifications. |
691 * protect against subsequent modifications. |
692 * |
692 * |
693 * @param names a <code>Collection</code> of names (or <code>null</code>) |
693 * @param names a {@code Collection} of names (or {@code null}) |
694 * @throws IOException if a parsing error occurs |
694 * @throws IOException if a parsing error occurs |
695 * @see #getSubjectAlternativeNames |
695 * @see #getSubjectAlternativeNames |
696 */ |
696 */ |
697 public void setSubjectAlternativeNames(Collection<List<?>> names) |
697 public void setSubjectAlternativeNames(Collection<List<?>> names) |
698 throws IOException { |
698 throws IOException { |
745 * certificates because of a loss of encoding information in the RFC 2253 |
745 * certificates because of a loss of encoding information in the RFC 2253 |
746 * String form of some distinguished names. |
746 * String form of some distinguished names. |
747 * |
747 * |
748 * @param type the name type (0-8, as specified in |
748 * @param type the name type (0-8, as specified in |
749 * RFC 3280, section 4.2.1.7) |
749 * RFC 3280, section 4.2.1.7) |
750 * @param name the name in string form (not <code>null</code>) |
750 * @param name the name in string form (not {@code null}) |
751 * @throws IOException if a parsing error occurs |
751 * @throws IOException if a parsing error occurs |
752 */ |
752 */ |
753 public void addSubjectAlternativeName(int type, String name) |
753 public void addSubjectAlternativeName(int type, String name) |
754 throws IOException { |
754 throws IOException { |
755 addSubjectAlternativeNameInternal(type, name); |
755 addSubjectAlternativeNameInternal(type, name); |
756 } |
756 } |
757 |
757 |
758 /** |
758 /** |
759 * Adds a name to the subjectAlternativeNames criterion. The |
759 * Adds a name to the subjectAlternativeNames criterion. The |
760 * <code>X509Certificate</code> must contain all or at least one |
760 * {@code X509Certificate} must contain all or at least one |
761 * of the specified subjectAlternativeNames, depending on the value of |
761 * of the specified subjectAlternativeNames, depending on the value of |
762 * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
762 * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames |
763 * setMatchAllSubjectAltNames}). |
763 * setMatchAllSubjectAltNames}). |
764 * <p> |
764 * <p> |
765 * This method allows the caller to add a name to the set of subject |
765 * This method allows the caller to add a name to the set of subject |
772 * the DER encoded name, as it would appear in the GeneralName structure |
772 * the DER encoded name, as it would appear in the GeneralName structure |
773 * defined in RFC 3280 and X.509. The encoded byte array should only contain |
773 * defined in RFC 3280 and X.509. The encoded byte array should only contain |
774 * the encoded value of the name, and should not include the tag associated |
774 * the encoded value of the name, and should not include the tag associated |
775 * with the name in the GeneralName structure. The ASN.1 definition of this |
775 * with the name in the GeneralName structure. The ASN.1 definition of this |
776 * structure appears below. |
776 * structure appears below. |
777 * <pre><code> |
777 * <pre>{@code |
778 * GeneralName ::= CHOICE { |
778 * GeneralName ::= CHOICE { |
779 * otherName [0] OtherName, |
779 * otherName [0] OtherName, |
780 * rfc822Name [1] IA5String, |
780 * rfc822Name [1] IA5String, |
781 * dNSName [2] IA5String, |
781 * dNSName [2] IA5String, |
782 * x400Address [3] ORAddress, |
782 * x400Address [3] ORAddress, |
783 * directoryName [4] Name, |
783 * directoryName [4] Name, |
784 * ediPartyName [5] EDIPartyName, |
784 * ediPartyName [5] EDIPartyName, |
785 * uniformResourceIdentifier [6] IA5String, |
785 * uniformResourceIdentifier [6] IA5String, |
786 * iPAddress [7] OCTET STRING, |
786 * iPAddress [7] OCTET STRING, |
787 * registeredID [8] OBJECT IDENTIFIER} |
787 * registeredID [8] OBJECT IDENTIFIER} |
788 * </code></pre> |
788 * }</pre> |
789 * <p> |
789 * <p> |
790 * Note that the byte array supplied here is cloned to protect against |
790 * Note that the byte array supplied here is cloned to protect against |
791 * subsequent modifications. |
791 * subsequent modifications. |
792 * |
792 * |
793 * @param type the name type (0-8, as listed above) |
793 * @param type the name type (0-8, as listed above) |
827 subjectAlternativeGeneralNames.add(tempName); |
827 subjectAlternativeGeneralNames.add(tempName); |
828 } |
828 } |
829 |
829 |
830 /** |
830 /** |
831 * Parse an argument of the form passed to setSubjectAlternativeNames, |
831 * Parse an argument of the form passed to setSubjectAlternativeNames, |
832 * returning a <code>Collection</code> of |
832 * returning a {@code Collection} of |
833 * <code>GeneralNameInterface</code>s. |
833 * {@code GeneralNameInterface}s. |
834 * Throw an IllegalArgumentException or a ClassCastException |
834 * Throw an IllegalArgumentException or a ClassCastException |
835 * if the argument is malformed. |
835 * if the argument is malformed. |
836 * |
836 * |
837 * @param names a Collection with one entry per name. |
837 * @param names a Collection with one entry per name. |
838 * Each entry is a <code>List</code> whose first entry |
838 * Each entry is a {@code List} whose first entry |
839 * is an Integer (the name type, 0-8) and whose second |
839 * is an Integer (the name type, 0-8) and whose second |
840 * entry is a String or a byte array (the name, in |
840 * entry is a String or a byte array (the name, in |
841 * string or ASN.1 DER encoded form, respectively). |
841 * string or ASN.1 DER encoded form, respectively). |
842 * There can be multiple names of the same type. Null is |
842 * There can be multiple names of the same type. Null is |
843 * not an acceptable value. |
843 * not an acceptable value. |
844 * @return a Set of <code>GeneralNameInterface</code>s |
844 * @return a Set of {@code GeneralNameInterface}s |
845 * @throws IOException if a parsing error occurs |
845 * @throws IOException if a parsing error occurs |
846 */ |
846 */ |
847 private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException { |
847 private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException { |
848 Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>(); |
848 Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>(); |
849 for (List<?> nameList : names) { |
849 for (List<?> nameList : names) { |
1020 * directoryName [4] Name, |
1020 * directoryName [4] Name, |
1021 * ediPartyName [5] EDIPartyName, |
1021 * ediPartyName [5] EDIPartyName, |
1022 * uniformResourceIdentifier [6] IA5String, |
1022 * uniformResourceIdentifier [6] IA5String, |
1023 * iPAddress [7] OCTET STRING, |
1023 * iPAddress [7] OCTET STRING, |
1024 * registeredID [8] OBJECT IDENTIFIER} |
1024 * registeredID [8] OBJECT IDENTIFIER} |
1025 * </code></pre> |
1025 * }</pre> |
1026 * <p> |
1026 * <p> |
1027 * Note that the byte array supplied here is cloned to protect against |
1027 * Note that the byte array supplied here is cloned to protect against |
1028 * subsequent modifications. |
1028 * subsequent modifications. |
1029 * |
1029 * |
1030 * @param bytes a byte array containing the ASN.1 DER encoding of |
1030 * @param bytes a byte array containing the ASN.1 DER encoding of |
1031 * a NameConstraints extension to be used for checking |
1031 * a NameConstraints extension to be used for checking |
1032 * name constraints. Only the value of the extension is |
1032 * name constraints. Only the value of the extension is |
1033 * included, not the OID or criticality flag. Can be |
1033 * included, not the OID or criticality flag. Can be |
1034 * <code>null</code>, |
1034 * {@code null}, |
1035 * in which case no name constraints check will be performed. |
1035 * in which case no name constraints check will be performed. |
1036 * @throws IOException if a parsing error occurs |
1036 * @throws IOException if a parsing error occurs |
1037 * @see #getNameConstraints |
1037 * @see #getNameConstraints |
1038 */ |
1038 */ |
1039 public void setNameConstraints(byte[] bytes) throws IOException { |
1039 public void setNameConstraints(byte[] bytes) throws IOException { |
1068 } |
1068 } |
1069 basicConstraints = minMaxPathLen; |
1069 basicConstraints = minMaxPathLen; |
1070 } |
1070 } |
1071 |
1071 |
1072 /** |
1072 /** |
1073 * Sets the policy constraint. The <code>X509Certificate</code> must |
1073 * Sets the policy constraint. The {@code X509Certificate} must |
1074 * include at least one of the specified policies in its certificate |
1074 * include at least one of the specified policies in its certificate |
1075 * policies extension. If <code>certPolicySet</code> is empty, then the |
1075 * policies extension. If {@code certPolicySet} is empty, then the |
1076 * <code>X509Certificate</code> must include at least some specified policy |
1076 * {@code X509Certificate} must include at least some specified policy |
1077 * in its certificate policies extension. If <code>certPolicySet</code> is |
1077 * in its certificate policies extension. If {@code certPolicySet} is |
1078 * <code>null</code>, no policy check will be performed. |
1078 * {@code null}, no policy check will be performed. |
1079 * <p> |
1079 * <p> |
1080 * Note that the <code>Set</code> is cloned to protect against |
1080 * Note that the {@code Set} is cloned to protect against |
1081 * subsequent modifications. |
1081 * subsequent modifications. |
1082 * |
1082 * |
1083 * @param certPolicySet a <code>Set</code> of certificate policy OIDs in |
1083 * @param certPolicySet a {@code Set} of certificate policy OIDs in |
1084 * string format (or <code>null</code>). Each OID is |
1084 * string format (or {@code null}). Each OID is |
1085 * represented by a set of nonnegative integers |
1085 * represented by a set of nonnegative integers |
1086 * separated by periods. |
1086 * separated by periods. |
1087 * @throws IOException if a parsing error occurs on the OID such as |
1087 * @throws IOException if a parsing error occurs on the OID such as |
1088 * the first component is not 0, 1 or 2 or the second component is |
1088 * the first component is not 0, 1 or 2 or the second component is |
1089 * greater than 39. |
1089 * greater than 39. |
1113 policy = new CertificatePolicySet(polIdVector); |
1113 policy = new CertificatePolicySet(polIdVector); |
1114 } |
1114 } |
1115 } |
1115 } |
1116 |
1116 |
1117 /** |
1117 /** |
1118 * Sets the pathToNames criterion. The <code>X509Certificate</code> must |
1118 * Sets the pathToNames criterion. The {@code X509Certificate} must |
1119 * not include name constraints that would prohibit building a |
1119 * not include name constraints that would prohibit building a |
1120 * path to the specified names. |
1120 * path to the specified names. |
1121 * <p> |
1121 * <p> |
1122 * This method allows the caller to specify, with a single method call, |
1122 * This method allows the caller to specify, with a single method call, |
1123 * the complete set of names which the <code>X509Certificates</code>'s |
1123 * the complete set of names which the {@code X509Certificates}'s |
1124 * name constraints must permit. The specified value replaces |
1124 * name constraints must permit. The specified value replaces |
1125 * the previous value for the pathToNames criterion. |
1125 * the previous value for the pathToNames criterion. |
1126 * <p> |
1126 * <p> |
1127 * This constraint is useful when building a certification path forward |
1127 * This constraint is useful when building a certification path forward |
1128 * (from the target toward the trust anchor. If a partial path has been |
1128 * (from the target toward the trust anchor. If a partial path has been |
1129 * built, any candidate certificate must not include name constraints that |
1129 * built, any candidate certificate must not include name constraints that |
1130 * would prohibit building a path to any of the names in the partial path. |
1130 * would prohibit building a path to any of the names in the partial path. |
1131 * <p> |
1131 * <p> |
1132 * The <code>names</code> parameter (if not <code>null</code>) is a |
1132 * The {@code names} parameter (if not {@code null}) is a |
1133 * <code>Collection</code> with one |
1133 * {@code Collection} with one |
1134 * entry for each name to be included in the pathToNames |
1134 * entry for each name to be included in the pathToNames |
1135 * criterion. Each entry is a <code>List</code> whose first entry is an |
1135 * criterion. Each entry is a {@code List} whose first entry is an |
1136 * <code>Integer</code> (the name type, 0-8) and whose second |
1136 * {@code Integer} (the name type, 0-8) and whose second |
1137 * entry is a <code>String</code> or a byte array (the name, in |
1137 * entry is a {@code String} or a byte array (the name, in |
1138 * string or ASN.1 DER encoded form, respectively). |
1138 * string or ASN.1 DER encoded form, respectively). |
1139 * There can be multiple names of the same type. If <code>null</code> |
1139 * There can be multiple names of the same type. If {@code null} |
1140 * is supplied as the value for this argument, no |
1140 * is supplied as the value for this argument, no |
1141 * pathToNames check will be performed. |
1141 * pathToNames check will be performed. |
1142 * <p> |
1142 * <p> |
1143 * Each name in the <code>Collection</code> |
1143 * Each name in the {@code Collection} |
1144 * may be specified either as a <code>String</code> or as an ASN.1 encoded |
1144 * may be specified either as a {@code String} or as an ASN.1 encoded |
1145 * byte array. For more details about the formats used, see |
1145 * byte array. For more details about the formats used, see |
1146 * {@link #addPathToName(int type, String name) |
1146 * {@link #addPathToName(int type, String name) |
1147 * addPathToName(int type, String name)} and |
1147 * addPathToName(int type, String name)} and |
1148 * {@link #addPathToName(int type, byte [] name) |
1148 * {@link #addPathToName(int type, byte [] name) |
1149 * addPathToName(int type, byte [] name)}. |
1149 * addPathToName(int type, byte [] name)}. |
1150 * <p> |
1150 * <p> |
1151 * <strong>Note:</strong> for distinguished names, specify the byte |
1151 * <strong>Note:</strong> for distinguished names, specify the byte |
1152 * array form instead of the String form. See the note in |
1152 * array form instead of the String form. See the note in |
1153 * {@link #addPathToName(int, String)} for more information. |
1153 * {@link #addPathToName(int, String)} for more information. |
1154 * <p> |
1154 * <p> |
1155 * Note that the <code>names</code> parameter can contain duplicate |
1155 * Note that the {@code names} parameter can contain duplicate |
1156 * names (same name and name type), but they may be removed from the |
1156 * names (same name and name type), but they may be removed from the |
1157 * <code>Collection</code> of names returned by the |
1157 * {@code Collection} of names returned by the |
1158 * {@link #getPathToNames getPathToNames} method. |
1158 * {@link #getPathToNames getPathToNames} method. |
1159 * <p> |
1159 * <p> |
1160 * Note that a deep copy is performed on the <code>Collection</code> to |
1160 * Note that a deep copy is performed on the {@code Collection} to |
1161 * protect against subsequent modifications. |
1161 * protect against subsequent modifications. |
1162 * |
1162 * |
1163 * @param names a <code>Collection</code> with one entry per name |
1163 * @param names a {@code Collection} with one entry per name |
1164 * (or <code>null</code>) |
1164 * (or {@code null}) |
1165 * @throws IOException if a parsing error occurs |
1165 * @throws IOException if a parsing error occurs |
1166 * @see #getPathToNames |
1166 * @see #getPathToNames |
1167 */ |
1167 */ |
1168 public void setPathToNames(Collection<List<?>> names) throws IOException { |
1168 public void setPathToNames(Collection<List<?>> names) throws IOException { |
1169 if ((names == null) || names.isEmpty()) { |
1169 if ((names == null) || names.isEmpty()) { |
1277 pathToGeneralNames.add(tempName); |
1277 pathToGeneralNames.add(tempName); |
1278 } |
1278 } |
1279 |
1279 |
1280 /** |
1280 /** |
1281 * Returns the certificateEquals criterion. The specified |
1281 * Returns the certificateEquals criterion. The specified |
1282 * <code>X509Certificate</code> must be equal to the |
1282 * {@code X509Certificate} must be equal to the |
1283 * <code>X509Certificate</code> passed to the <code>match</code> method. |
1283 * {@code X509Certificate} passed to the {@code match} method. |
1284 * If <code>null</code>, this check is not applied. |
1284 * If {@code null}, this check is not applied. |
1285 * |
1285 * |
1286 * @return the <code>X509Certificate</code> to match (or <code>null</code>) |
1286 * @return the {@code X509Certificate} to match (or {@code null}) |
1287 * @see #setCertificate |
1287 * @see #setCertificate |
1288 */ |
1288 */ |
1289 public X509Certificate getCertificate() { |
1289 public X509Certificate getCertificate() { |
1290 return x509Cert; |
1290 return x509Cert; |
1291 } |
1291 } |
1292 |
1292 |
1293 /** |
1293 /** |
1294 * Returns the serialNumber criterion. The specified serial number |
1294 * Returns the serialNumber criterion. The specified serial number |
1295 * must match the certificate serial number in the |
1295 * must match the certificate serial number in the |
1296 * <code>X509Certificate</code>. If <code>null</code>, any certificate |
1296 * {@code X509Certificate}. If {@code null}, any certificate |
1297 * serial number will do. |
1297 * serial number will do. |
1298 * |
1298 * |
1299 * @return the certificate serial number to match |
1299 * @return the certificate serial number to match |
1300 * (or <code>null</code>) |
1300 * (or {@code null}) |
1301 * @see #setSerialNumber |
1301 * @see #setSerialNumber |
1302 */ |
1302 */ |
1303 public BigInteger getSerialNumber() { |
1303 public BigInteger getSerialNumber() { |
1304 return serialNumber; |
1304 return serialNumber; |
1305 } |
1305 } |
1306 |
1306 |
1307 /** |
1307 /** |
1308 * Returns the issuer criterion as an <code>X500Principal</code>. This |
1308 * Returns the issuer criterion as an {@code X500Principal}. This |
1309 * distinguished name must match the issuer distinguished name in the |
1309 * distinguished name must match the issuer distinguished name in the |
1310 * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion |
1310 * {@code X509Certificate}. If {@code null}, the issuer criterion |
1311 * is disabled and any issuer distinguished name will do. |
1311 * is disabled and any issuer distinguished name will do. |
1312 * |
1312 * |
1313 * @return the required issuer distinguished name as X500Principal |
1313 * @return the required issuer distinguished name as X500Principal |
1314 * (or <code>null</code>) |
1314 * (or {@code null}) |
1315 * @since 1.5 |
1315 * @since 1.5 |
1316 */ |
1316 */ |
1317 public X500Principal getIssuer() { |
1317 public X500Principal getIssuer() { |
1318 return issuer; |
1318 return issuer; |
1319 } |
1319 } |
1323 * {@linkplain #getIssuerAsBytes()} instead. This method should not be |
1323 * {@linkplain #getIssuerAsBytes()} instead. This method should not be |
1324 * relied on as it can fail to match some certificates because of a loss of |
1324 * relied on as it can fail to match some certificates because of a loss of |
1325 * encoding information in the RFC 2253 String form of some distinguished |
1325 * encoding information in the RFC 2253 String form of some distinguished |
1326 * names. |
1326 * names. |
1327 * <p> |
1327 * <p> |
1328 * Returns the issuer criterion as a <code>String</code>. This |
1328 * Returns the issuer criterion as a {@code String}. This |
1329 * distinguished name must match the issuer distinguished name in the |
1329 * distinguished name must match the issuer distinguished name in the |
1330 * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion |
1330 * {@code X509Certificate}. If {@code null}, the issuer criterion |
1331 * is disabled and any issuer distinguished name will do. |
1331 * is disabled and any issuer distinguished name will do. |
1332 * <p> |
1332 * <p> |
1333 * If the value returned is not <code>null</code>, it is a |
1333 * If the value returned is not {@code null}, it is a |
1334 * distinguished name, in RFC 2253 format. |
1334 * distinguished name, in RFC 2253 format. |
1335 * |
1335 * |
1336 * @return the required issuer distinguished name in RFC 2253 format |
1336 * @return the required issuer distinguished name in RFC 2253 format |
1337 * (or <code>null</code>) |
1337 * (or {@code null}) |
1338 */ |
1338 */ |
1339 public String getIssuerAsString() { |
1339 public String getIssuerAsString() { |
1340 return (issuer == null ? null : issuer.getName()); |
1340 return (issuer == null ? null : issuer.getName()); |
1341 } |
1341 } |
1342 |
1342 |
1343 /** |
1343 /** |
1344 * Returns the issuer criterion as a byte array. This distinguished name |
1344 * Returns the issuer criterion as a byte array. This distinguished name |
1345 * must match the issuer distinguished name in the |
1345 * must match the issuer distinguished name in the |
1346 * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion |
1346 * {@code X509Certificate}. If {@code null}, the issuer criterion |
1347 * is disabled and any issuer distinguished name will do. |
1347 * is disabled and any issuer distinguished name will do. |
1348 * <p> |
1348 * <p> |
1349 * If the value returned is not <code>null</code>, it is a byte |
1349 * If the value returned is not {@code null}, it is a byte |
1350 * array containing a single DER encoded distinguished name, as defined in |
1350 * array containing a single DER encoded distinguished name, as defined in |
1351 * X.501. The ASN.1 notation for this structure is supplied in the |
1351 * X.501. The ASN.1 notation for this structure is supplied in the |
1352 * documentation for |
1352 * documentation for |
1353 * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}. |
1353 * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}. |
1354 * <p> |
1354 * <p> |
1355 * Note that the byte array returned is cloned to protect against |
1355 * Note that the byte array returned is cloned to protect against |
1356 * subsequent modifications. |
1356 * subsequent modifications. |
1357 * |
1357 * |
1358 * @return a byte array containing the required issuer distinguished name |
1358 * @return a byte array containing the required issuer distinguished name |
1359 * in ASN.1 DER format (or <code>null</code>) |
1359 * in ASN.1 DER format (or {@code null}) |
1360 * @throws IOException if an encoding error occurs |
1360 * @throws IOException if an encoding error occurs |
1361 */ |
1361 */ |
1362 public byte[] getIssuerAsBytes() throws IOException { |
1362 public byte[] getIssuerAsBytes() throws IOException { |
1363 return (issuer == null ? null: issuer.getEncoded()); |
1363 return (issuer == null ? null: issuer.getEncoded()); |
1364 } |
1364 } |
1365 |
1365 |
1366 /** |
1366 /** |
1367 * Returns the subject criterion as an <code>X500Principal</code>. This |
1367 * Returns the subject criterion as an {@code X500Principal}. This |
1368 * distinguished name must match the subject distinguished name in the |
1368 * distinguished name must match the subject distinguished name in the |
1369 * <code>X509Certificate</code>. If <code>null</code>, the subject criterion |
1369 * {@code X509Certificate}. If {@code null}, the subject criterion |
1370 * is disabled and any subject distinguished name will do. |
1370 * is disabled and any subject distinguished name will do. |
1371 * |
1371 * |
1372 * @return the required subject distinguished name as X500Principal |
1372 * @return the required subject distinguished name as X500Principal |
1373 * (or <code>null</code>) |
1373 * (or {@code null}) |
1374 * @since 1.5 |
1374 * @since 1.5 |
1375 */ |
1375 */ |
1376 public X500Principal getSubject() { |
1376 public X500Principal getSubject() { |
1377 return subject; |
1377 return subject; |
1378 } |
1378 } |
1382 * {@linkplain #getSubjectAsBytes()} instead. This method should not be |
1382 * {@linkplain #getSubjectAsBytes()} instead. This method should not be |
1383 * relied on as it can fail to match some certificates because of a loss of |
1383 * relied on as it can fail to match some certificates because of a loss of |
1384 * encoding information in the RFC 2253 String form of some distinguished |
1384 * encoding information in the RFC 2253 String form of some distinguished |
1385 * names. |
1385 * names. |
1386 * <p> |
1386 * <p> |
1387 * Returns the subject criterion as a <code>String</code>. This |
1387 * Returns the subject criterion as a {@code String}. This |
1388 * distinguished name must match the subject distinguished name in the |
1388 * distinguished name must match the subject distinguished name in the |
1389 * <code>X509Certificate</code>. If <code>null</code>, the subject criterion |
1389 * {@code X509Certificate}. If {@code null}, the subject criterion |
1390 * is disabled and any subject distinguished name will do. |
1390 * is disabled and any subject distinguished name will do. |
1391 * <p> |
1391 * <p> |
1392 * If the value returned is not <code>null</code>, it is a |
1392 * If the value returned is not {@code null}, it is a |
1393 * distinguished name, in RFC 2253 format. |
1393 * distinguished name, in RFC 2253 format. |
1394 * |
1394 * |
1395 * @return the required subject distinguished name in RFC 2253 format |
1395 * @return the required subject distinguished name in RFC 2253 format |
1396 * (or <code>null</code>) |
1396 * (or {@code null}) |
1397 */ |
1397 */ |
1398 public String getSubjectAsString() { |
1398 public String getSubjectAsString() { |
1399 return (subject == null ? null : subject.getName()); |
1399 return (subject == null ? null : subject.getName()); |
1400 } |
1400 } |
1401 |
1401 |
1402 /** |
1402 /** |
1403 * Returns the subject criterion as a byte array. This distinguished name |
1403 * Returns the subject criterion as a byte array. This distinguished name |
1404 * must match the subject distinguished name in the |
1404 * must match the subject distinguished name in the |
1405 * <code>X509Certificate</code>. If <code>null</code>, the subject criterion |
1405 * {@code X509Certificate}. If {@code null}, the subject criterion |
1406 * is disabled and any subject distinguished name will do. |
1406 * is disabled and any subject distinguished name will do. |
1407 * <p> |
1407 * <p> |
1408 * If the value returned is not <code>null</code>, it is a byte |
1408 * If the value returned is not {@code null}, it is a byte |
1409 * array containing a single DER encoded distinguished name, as defined in |
1409 * array containing a single DER encoded distinguished name, as defined in |
1410 * X.501. The ASN.1 notation for this structure is supplied in the |
1410 * X.501. The ASN.1 notation for this structure is supplied in the |
1411 * documentation for |
1411 * documentation for |
1412 * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}. |
1412 * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}. |
1413 * <p> |
1413 * <p> |
1414 * Note that the byte array returned is cloned to protect against |
1414 * Note that the byte array returned is cloned to protect against |
1415 * subsequent modifications. |
1415 * subsequent modifications. |
1416 * |
1416 * |
1417 * @return a byte array containing the required subject distinguished name |
1417 * @return a byte array containing the required subject distinguished name |
1418 * in ASN.1 DER format (or <code>null</code>) |
1418 * in ASN.1 DER format (or {@code null}) |
1419 * @throws IOException if an encoding error occurs |
1419 * @throws IOException if an encoding error occurs |
1420 */ |
1420 */ |
1421 public byte[] getSubjectAsBytes() throws IOException { |
1421 public byte[] getSubjectAsBytes() throws IOException { |
1422 return (subject == null ? null : subject.getEncoded()); |
1422 return (subject == null ? null : subject.getEncoded()); |
1423 } |
1423 } |
1424 |
1424 |
1425 /** |
1425 /** |
1426 * Returns the subjectKeyIdentifier criterion. The |
1426 * Returns the subjectKeyIdentifier criterion. The |
1427 * <code>X509Certificate</code> must contain a SubjectKeyIdentifier |
1427 * {@code X509Certificate} must contain a SubjectKeyIdentifier |
1428 * extension with the specified value. If <code>null</code>, no |
1428 * extension with the specified value. If {@code null}, no |
1429 * subjectKeyIdentifier check will be done. |
1429 * subjectKeyIdentifier check will be done. |
1430 * <p> |
1430 * <p> |
1431 * Note that the byte array returned is cloned to protect against |
1431 * Note that the byte array returned is cloned to protect against |
1432 * subsequent modifications. |
1432 * subsequent modifications. |
1433 * |
1433 * |
1434 * @return the key identifier (or <code>null</code>) |
1434 * @return the key identifier (or {@code null}) |
1435 * @see #setSubjectKeyIdentifier |
1435 * @see #setSubjectKeyIdentifier |
1436 */ |
1436 */ |
1437 public byte[] getSubjectKeyIdentifier() { |
1437 public byte[] getSubjectKeyIdentifier() { |
1438 if (subjectKeyID == null) { |
1438 if (subjectKeyID == null) { |
1439 return null; |
1439 return null; |
1516 return subjectPublicKeyAlgID.toString(); |
1516 return subjectPublicKeyAlgID.toString(); |
1517 } |
1517 } |
1518 |
1518 |
1519 /** |
1519 /** |
1520 * Returns the subjectPublicKey criterion. The |
1520 * Returns the subjectPublicKey criterion. The |
1521 * <code>X509Certificate</code> must contain the specified subject |
1521 * {@code X509Certificate} must contain the specified subject |
1522 * public key. If <code>null</code>, no subjectPublicKey check will be done. |
1522 * public key. If {@code null}, no subjectPublicKey check will be done. |
1523 * |
1523 * |
1524 * @return the subject public key to check for (or <code>null</code>) |
1524 * @return the subject public key to check for (or {@code null}) |
1525 * @see #setSubjectPublicKey |
1525 * @see #setSubjectPublicKey |
1526 */ |
1526 */ |
1527 public PublicKey getSubjectPublicKey() { |
1527 public PublicKey getSubjectPublicKey() { |
1528 return subjectPublicKey; |
1528 return subjectPublicKey; |
1529 } |
1529 } |
1530 |
1530 |
1531 /** |
1531 /** |
1532 * Returns the keyUsage criterion. The <code>X509Certificate</code> |
1532 * Returns the keyUsage criterion. The {@code X509Certificate} |
1533 * must allow the specified keyUsage values. If null, no keyUsage |
1533 * must allow the specified keyUsage values. If null, no keyUsage |
1534 * check will be done. |
1534 * check will be done. |
1535 * <p> |
1535 * <p> |
1536 * Note that the boolean array returned is cloned to protect against |
1536 * Note that the boolean array returned is cloned to protect against |
1537 * subsequent modifications. |
1537 * subsequent modifications. |
1538 * |
1538 * |
1539 * @return a boolean array in the same format as the boolean |
1539 * @return a boolean array in the same format as the boolean |
1540 * array returned by |
1540 * array returned by |
1541 * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}. |
1541 * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}. |
1542 * Or <code>null</code>. |
1542 * Or {@code null}. |
1543 * @see #setKeyUsage |
1543 * @see #setKeyUsage |
1544 */ |
1544 */ |
1545 public boolean[] getKeyUsage() { |
1545 public boolean[] getKeyUsage() { |
1546 if (keyUsage == null) { |
1546 if (keyUsage == null) { |
1547 return null; |
1547 return null; |
1548 } |
1548 } |
1549 return keyUsage.clone(); |
1549 return keyUsage.clone(); |
1550 } |
1550 } |
1551 |
1551 |
1552 /** |
1552 /** |
1553 * Returns the extendedKeyUsage criterion. The <code>X509Certificate</code> |
1553 * Returns the extendedKeyUsage criterion. The {@code X509Certificate} |
1554 * must allow the specified key purposes in its extended key usage |
1554 * must allow the specified key purposes in its extended key usage |
1555 * extension. If the <code>keyPurposeSet</code> returned is empty or |
1555 * extension. If the {@code keyPurposeSet} returned is empty or |
1556 * <code>null</code>, no extendedKeyUsage check will be done. Note that an |
1556 * {@code null}, no extendedKeyUsage check will be done. Note that an |
1557 * <code>X509Certificate</code> that has no extendedKeyUsage extension |
1557 * {@code X509Certificate} that has no extendedKeyUsage extension |
1558 * implicitly allows all key purposes. |
1558 * implicitly allows all key purposes. |
1559 * |
1559 * |
1560 * @return an immutable <code>Set</code> of key purpose OIDs in string |
1560 * @return an immutable {@code Set} of key purpose OIDs in string |
1561 * format (or <code>null</code>) |
1561 * format (or {@code null}) |
1562 * @see #setExtendedKeyUsage |
1562 * @see #setExtendedKeyUsage |
1563 */ |
1563 */ |
1564 public Set<String> getExtendedKeyUsage() { |
1564 public Set<String> getExtendedKeyUsage() { |
1565 return keyPurposeSet; |
1565 return keyPurposeSet; |
1566 } |
1566 } |
1567 |
1567 |
1568 /** |
1568 /** |
1569 * Indicates if the <code>X509Certificate</code> must contain all |
1569 * Indicates if the {@code X509Certificate} must contain all |
1570 * or at least one of the subjectAlternativeNames |
1570 * or at least one of the subjectAlternativeNames |
1571 * specified in the {@link #setSubjectAlternativeNames |
1571 * specified in the {@link #setSubjectAlternativeNames |
1572 * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
1572 * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName |
1573 * addSubjectAlternativeName} methods. If <code>true</code>, |
1573 * addSubjectAlternativeName} methods. If {@code true}, |
1574 * the <code>X509Certificate</code> must contain all of the |
1574 * the {@code X509Certificate} must contain all of the |
1575 * specified subject alternative names. If <code>false</code>, the |
1575 * specified subject alternative names. If {@code false}, the |
1576 * <code>X509Certificate</code> must contain at least one of the |
1576 * {@code X509Certificate} must contain at least one of the |
1577 * specified subject alternative names. |
1577 * specified subject alternative names. |
1578 * |
1578 * |
1579 * @return <code>true</code> if the flag is enabled; |
1579 * @return {@code true} if the flag is enabled; |
1580 * <code>false</code> if the flag is disabled. The flag is |
1580 * {@code false} if the flag is disabled. The flag is |
1581 * <code>true</code> by default. |
1581 * {@code true} by default. |
1582 * @see #setMatchAllSubjectAltNames |
1582 * @see #setMatchAllSubjectAltNames |
1583 */ |
1583 */ |
1584 public boolean getMatchAllSubjectAltNames() { |
1584 public boolean getMatchAllSubjectAltNames() { |
1585 return matchAllSubjectAltNames; |
1585 return matchAllSubjectAltNames; |
1586 } |
1586 } |
1587 |
1587 |
1588 /** |
1588 /** |
1589 * Returns a copy of the subjectAlternativeNames criterion. |
1589 * Returns a copy of the subjectAlternativeNames criterion. |
1590 * The <code>X509Certificate</code> must contain all or at least one |
1590 * The {@code X509Certificate} must contain all or at least one |
1591 * of the specified subjectAlternativeNames, depending on the value |
1591 * of the specified subjectAlternativeNames, depending on the value |
1592 * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames |
1592 * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames |
1593 * getMatchAllSubjectAltNames}). If the value returned is |
1593 * getMatchAllSubjectAltNames}). If the value returned is |
1594 * <code>null</code>, no subjectAlternativeNames check will be performed. |
1594 * {@code null}, no subjectAlternativeNames check will be performed. |
1595 * <p> |
1595 * <p> |
1596 * If the value returned is not <code>null</code>, it is a |
1596 * If the value returned is not {@code null}, it is a |
1597 * <code>Collection</code> with |
1597 * {@code Collection} with |
1598 * one entry for each name to be included in the subject alternative name |
1598 * one entry for each name to be included in the subject alternative name |
1599 * criterion. Each entry is a <code>List</code> whose first entry is an |
1599 * criterion. Each entry is a {@code List} whose first entry is an |
1600 * <code>Integer</code> (the name type, 0-8) and whose second |
1600 * {@code Integer} (the name type, 0-8) and whose second |
1601 * entry is a <code>String</code> or a byte array (the name, in |
1601 * entry is a {@code String} or a byte array (the name, in |
1602 * string or ASN.1 DER encoded form, respectively). |
1602 * string or ASN.1 DER encoded form, respectively). |
1603 * There can be multiple names of the same type. Note that the |
1603 * There can be multiple names of the same type. Note that the |
1604 * <code>Collection</code> returned may contain duplicate names (same name |
1604 * {@code Collection} returned may contain duplicate names (same name |
1605 * and name type). |
1605 * and name type). |
1606 * <p> |
1606 * <p> |
1607 * Each subject alternative name in the <code>Collection</code> |
1607 * Each subject alternative name in the {@code Collection} |
1608 * may be specified either as a <code>String</code> or as an ASN.1 encoded |
1608 * may be specified either as a {@code String} or as an ASN.1 encoded |
1609 * byte array. For more details about the formats used, see |
1609 * byte array. For more details about the formats used, see |
1610 * {@link #addSubjectAlternativeName(int type, String name) |
1610 * {@link #addSubjectAlternativeName(int type, String name) |
1611 * addSubjectAlternativeName(int type, String name)} and |
1611 * addSubjectAlternativeName(int type, String name)} and |
1612 * {@link #addSubjectAlternativeName(int type, byte [] name) |
1612 * {@link #addSubjectAlternativeName(int type, byte [] name) |
1613 * addSubjectAlternativeName(int type, byte [] name)}. |
1613 * addSubjectAlternativeName(int type, byte [] name)}. |
1614 * <p> |
1614 * <p> |
1615 * Note that a deep copy is performed on the <code>Collection</code> to |
1615 * Note that a deep copy is performed on the {@code Collection} to |
1616 * protect against subsequent modifications. |
1616 * protect against subsequent modifications. |
1617 * |
1617 * |
1618 * @return a <code>Collection</code> of names (or <code>null</code>) |
1618 * @return a {@code Collection} of names (or {@code null}) |
1619 * @see #setSubjectAlternativeNames |
1619 * @see #setSubjectAlternativeNames |
1620 */ |
1620 */ |
1621 public Collection<List<?>> getSubjectAlternativeNames() { |
1621 public Collection<List<?>> getSubjectAlternativeNames() { |
1622 if (subjectAlternativeNames == null) { |
1622 if (subjectAlternativeNames == null) { |
1623 return null; |
1623 return null; |
1626 } |
1626 } |
1627 |
1627 |
1628 /** |
1628 /** |
1629 * Clone an object of the form passed to |
1629 * Clone an object of the form passed to |
1630 * setSubjectAlternativeNames and setPathToNames. |
1630 * setSubjectAlternativeNames and setPathToNames. |
1631 * Throw a <code>RuntimeException</code> if the argument is malformed. |
1631 * Throw a {@code RuntimeException} if the argument is malformed. |
1632 * <p> |
1632 * <p> |
1633 * This method wraps cloneAndCheckNames, changing any |
1633 * This method wraps cloneAndCheckNames, changing any |
1634 * <code>IOException</code> into a <code>RuntimeException</code>. This |
1634 * {@code IOException} into a {@code RuntimeException}. This |
1635 * method should be used when the object being |
1635 * method should be used when the object being |
1636 * cloned has already been checked, so there should never be any exceptions. |
1636 * cloned has already been checked, so there should never be any exceptions. |
1637 * |
1637 * |
1638 * @param names a <code>Collection</code> with one entry per name. |
1638 * @param names a {@code Collection} with one entry per name. |
1639 * Each entry is a <code>List</code> whose first entry |
1639 * Each entry is a {@code List} whose first entry |
1640 * is an Integer (the name type, 0-8) and whose second |
1640 * is an Integer (the name type, 0-8) and whose second |
1641 * entry is a String or a byte array (the name, in |
1641 * entry is a String or a byte array (the name, in |
1642 * string or ASN.1 DER encoded form, respectively). |
1642 * string or ASN.1 DER encoded form, respectively). |
1643 * There can be multiple names of the same type. Null |
1643 * There can be multiple names of the same type. Null |
1644 * is not an acceptable value. |
1644 * is not an acceptable value. |
1645 * @return a deep copy of the specified <code>Collection</code> |
1645 * @return a deep copy of the specified {@code Collection} |
1646 * @throws RuntimeException if a parsing error occurs |
1646 * @throws RuntimeException if a parsing error occurs |
1647 */ |
1647 */ |
1648 private static Set<List<?>> cloneNames(Collection<List<?>> names) { |
1648 private static Set<List<?>> cloneNames(Collection<List<?>> names) { |
1649 try { |
1649 try { |
1650 return cloneAndCheckNames(names); |
1650 return cloneAndCheckNames(names); |
1655 } |
1655 } |
1656 |
1656 |
1657 /** |
1657 /** |
1658 * Clone and check an argument of the form passed to |
1658 * Clone and check an argument of the form passed to |
1659 * setSubjectAlternativeNames and setPathToNames. |
1659 * setSubjectAlternativeNames and setPathToNames. |
1660 * Throw an <code>IOException</code> if the argument is malformed. |
1660 * Throw an {@code IOException} if the argument is malformed. |
1661 * |
1661 * |
1662 * @param names a <code>Collection</code> with one entry per name. |
1662 * @param names a {@code Collection} with one entry per name. |
1663 * Each entry is a <code>List</code> whose first entry |
1663 * Each entry is a {@code List} whose first entry |
1664 * is an Integer (the name type, 0-8) and whose second |
1664 * is an Integer (the name type, 0-8) and whose second |
1665 * entry is a String or a byte array (the name, in |
1665 * entry is a String or a byte array (the name, in |
1666 * string or ASN.1 DER encoded form, respectively). |
1666 * string or ASN.1 DER encoded form, respectively). |
1667 * There can be multiple names of the same type. |
1667 * There can be multiple names of the same type. |
1668 * <code>null</code> is not an acceptable value. |
1668 * {@code null} is not an acceptable value. |
1669 * @return a deep copy of the specified <code>Collection</code> |
1669 * @return a deep copy of the specified {@code Collection} |
1670 * @throws IOException if a parsing error occurs |
1670 * @throws IOException if a parsing error occurs |
1671 */ |
1671 */ |
1672 private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException { |
1672 private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException { |
1673 // Copy the Lists and Collection |
1673 // Copy the Lists and Collection |
1674 Set<List<?>> namesCopy = new HashSet<List<?>>(); |
1674 Set<List<?>> namesCopy = new HashSet<List<?>>(); |
1749 public int getBasicConstraints() { |
1749 public int getBasicConstraints() { |
1750 return basicConstraints; |
1750 return basicConstraints; |
1751 } |
1751 } |
1752 |
1752 |
1753 /** |
1753 /** |
1754 * Returns the policy criterion. The <code>X509Certificate</code> must |
1754 * Returns the policy criterion. The {@code X509Certificate} must |
1755 * include at least one of the specified policies in its certificate policies |
1755 * include at least one of the specified policies in its certificate policies |
1756 * extension. If the <code>Set</code> returned is empty, then the |
1756 * extension. If the {@code Set} returned is empty, then the |
1757 * <code>X509Certificate</code> must include at least some specified policy |
1757 * {@code X509Certificate} must include at least some specified policy |
1758 * in its certificate policies extension. If the <code>Set</code> returned is |
1758 * in its certificate policies extension. If the {@code Set} returned is |
1759 * <code>null</code>, no policy check will be performed. |
1759 * {@code null}, no policy check will be performed. |
1760 * |
1760 * |
1761 * @return an immutable <code>Set</code> of certificate policy OIDs in |
1761 * @return an immutable {@code Set} of certificate policy OIDs in |
1762 * string format (or <code>null</code>) |
1762 * string format (or {@code null}) |
1763 * @see #setPolicy |
1763 * @see #setPolicy |
1764 */ |
1764 */ |
1765 public Set<String> getPolicy() { |
1765 public Set<String> getPolicy() { |
1766 return policySet; |
1766 return policySet; |
1767 } |
1767 } |
1768 |
1768 |
1769 /** |
1769 /** |
1770 * Returns a copy of the pathToNames criterion. The |
1770 * Returns a copy of the pathToNames criterion. The |
1771 * <code>X509Certificate</code> must not include name constraints that would |
1771 * {@code X509Certificate} must not include name constraints that would |
1772 * prohibit building a path to the specified names. If the value |
1772 * prohibit building a path to the specified names. If the value |
1773 * returned is <code>null</code>, no pathToNames check will be performed. |
1773 * returned is {@code null}, no pathToNames check will be performed. |
1774 * <p> |
1774 * <p> |
1775 * If the value returned is not <code>null</code>, it is a |
1775 * If the value returned is not {@code null}, it is a |
1776 * <code>Collection</code> with one |
1776 * {@code Collection} with one |
1777 * entry for each name to be included in the pathToNames |
1777 * entry for each name to be included in the pathToNames |
1778 * criterion. Each entry is a <code>List</code> whose first entry is an |
1778 * criterion. Each entry is a {@code List} whose first entry is an |
1779 * <code>Integer</code> (the name type, 0-8) and whose second |
1779 * {@code Integer} (the name type, 0-8) and whose second |
1780 * entry is a <code>String</code> or a byte array (the name, in |
1780 * entry is a {@code String} or a byte array (the name, in |
1781 * string or ASN.1 DER encoded form, respectively). |
1781 * string or ASN.1 DER encoded form, respectively). |
1782 * There can be multiple names of the same type. Note that the |
1782 * There can be multiple names of the same type. Note that the |
1783 * <code>Collection</code> returned may contain duplicate names (same |
1783 * {@code Collection} returned may contain duplicate names (same |
1784 * name and name type). |
1784 * name and name type). |
1785 * <p> |
1785 * <p> |
1786 * Each name in the <code>Collection</code> |
1786 * Each name in the {@code Collection} |
1787 * may be specified either as a <code>String</code> or as an ASN.1 encoded |
1787 * may be specified either as a {@code String} or as an ASN.1 encoded |
1788 * byte array. For more details about the formats used, see |
1788 * byte array. For more details about the formats used, see |
1789 * {@link #addPathToName(int type, String name) |
1789 * {@link #addPathToName(int type, String name) |
1790 * addPathToName(int type, String name)} and |
1790 * addPathToName(int type, String name)} and |
1791 * {@link #addPathToName(int type, byte [] name) |
1791 * {@link #addPathToName(int type, byte [] name) |
1792 * addPathToName(int type, byte [] name)}. |
1792 * addPathToName(int type, byte [] name)}. |
1793 * <p> |
1793 * <p> |
1794 * Note that a deep copy is performed on the <code>Collection</code> to |
1794 * Note that a deep copy is performed on the {@code Collection} to |
1795 * protect against subsequent modifications. |
1795 * protect against subsequent modifications. |
1796 * |
1796 * |
1797 * @return a <code>Collection</code> of names (or <code>null</code>) |
1797 * @return a {@code Collection} of names (or {@code null}) |
1798 * @see #setPathToNames |
1798 * @see #setPathToNames |
1799 */ |
1799 */ |
1800 public Collection<List<?>> getPathToNames() { |
1800 public Collection<List<?>> getPathToNames() { |
1801 if (pathToNames == null) { |
1801 if (pathToNames == null) { |
1802 return null; |
1802 return null; |
1803 } |
1803 } |
1804 return cloneNames(pathToNames); |
1804 return cloneNames(pathToNames); |
1805 } |
1805 } |
1806 |
1806 |
1807 /** |
1807 /** |
1808 * Return a printable representation of the <code>CertSelector</code>. |
1808 * Return a printable representation of the {@code CertSelector}. |
1809 * |
1809 * |
1810 * @return a <code>String</code> describing the contents of the |
1810 * @return a {@code String} describing the contents of the |
1811 * <code>CertSelector</code> |
1811 * {@code CertSelector} |
1812 */ |
1812 */ |
1813 public String toString() { |
1813 public String toString() { |
1814 StringBuffer sb = new StringBuffer(); |
1814 StringBuffer sb = new StringBuffer(); |
1815 sb.append("X509CertSelector: [\n"); |
1815 sb.append("X509CertSelector: [\n"); |
1816 if (x509Cert != null) { |
1816 if (x509Cert != null) { |
1925 return (s); |
1925 return (s); |
1926 } |
1926 } |
1927 |
1927 |
1928 /** |
1928 /** |
1929 * Returns an Extension object given any X509Certificate and extension oid. |
1929 * Returns an Extension object given any X509Certificate and extension oid. |
1930 * Throw an <code>IOException</code> if the extension byte value is |
1930 * Throw an {@code IOException} if the extension byte value is |
1931 * malformed. |
1931 * malformed. |
1932 * |
1932 * |
1933 * @param cert a <code>X509Certificate</code> |
1933 * @param cert a {@code X509Certificate} |
1934 * @param extId an <code>integer</code> which specifies the extension index. |
1934 * @param extId an {@code integer} which specifies the extension index. |
1935 * Currently, the supported extensions are as follows: |
1935 * Currently, the supported extensions are as follows: |
1936 * index 0 - PrivateKeyUsageExtension |
1936 * index 0 - PrivateKeyUsageExtension |
1937 * index 1 - SubjectAlternativeNameExtension |
1937 * index 1 - SubjectAlternativeNameExtension |
1938 * index 2 - NameConstraintsExtension |
1938 * index 2 - NameConstraintsExtension |
1939 * index 3 - CertificatePoliciesExtension |
1939 * index 3 - CertificatePoliciesExtension |
1940 * index 4 - ExtendedKeyUsageExtension |
1940 * index 4 - ExtendedKeyUsageExtension |
1941 * @return an <code>Extension</code> object whose real type is as specified |
1941 * @return an {@code Extension} object whose real type is as specified |
1942 * by the extension oid. |
1942 * by the extension oid. |
1943 * @throws IOException if cannot construct the <code>Extension</code> |
1943 * @throws IOException if cannot construct the {@code Extension} |
1944 * object with the extension encoding retrieved from the passed in |
1944 * object with the extension encoding retrieved from the passed in |
1945 * <code>X509Certificate</code>. |
1945 * {@code X509Certificate}. |
1946 */ |
1946 */ |
1947 private static Extension getExtensionObject(X509Certificate cert, int extId) |
1947 private static Extension getExtensionObject(X509Certificate cert, int extId) |
1948 throws IOException { |
1948 throws IOException { |
1949 if (cert instanceof X509CertImpl) { |
1949 if (cert instanceof X509CertImpl) { |
1950 X509CertImpl impl = (X509CertImpl)cert; |
1950 X509CertImpl impl = (X509CertImpl)cert; |