1 /* 2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.util; 27 28 import java.io.*; 29 import java.math.BigInteger; 30 import java.util.Arrays; 31 32 /** 33 * Represent an ISO Object Identifier. 34 * 35 * <P>Object Identifiers are arbitrary length hierarchical identifiers. 36 * The individual components are numbers, and they define paths from the 37 * root of an ISO-managed identifier space. You will sometimes see a 38 * string name used instead of (or in addition to) the numerical id. 39 * These are synonyms for the numerical IDs, but are not widely used 40 * since most sites do not know all the requisite strings, while all 41 * sites can parse the numeric forms. 42 * 43 * <P>So for example, JavaSoft has the sole authority to assign the 44 * meaning to identifiers below the 1.3.6.1.4.1.42.2.17 node in the 45 * hierarchy, and other organizations can easily acquire the ability 46 * to assign such unique identifiers. 47 * 48 * @author David Brownell 49 * @author Amit Kapoor 50 * @author Hemma Prafullchandra 51 */ 52 53 final public 54 class ObjectIdentifier implements Serializable 55 { 56 /** 57 * We use the DER value (no tag, no length) as the internal format 58 * @serial 59 */ 60 private byte[] encoding = null; 61 62 private transient volatile String stringForm; 63 64 /* 65 * IMPORTANT NOTES FOR CODE CHANGES (bug 4811968) IN JDK 1.7.0 66 * =========================================================== 67 * 68 * (Almost) serialization compatibility with old versions: 69 * 70 * serialVersionUID is unchanged. Old field "component" is changed to 71 * type Object so that "poison" (unknown object type for old versions) 72 * can be put inside if there are huge components that cannot be saved 73 * as integers. 74 * 75 * New version use the new filed "encoding" only. 76 * 77 * Below are all 4 cases in a serialization/deserialization process: 78 * 79 * 1. old -> old: Not covered here 80 * 2. old -> new: There's no "encoding" field, new readObject() reads 81 * "components" and "componentLen" instead and inits correctly. 82 * 3. new -> new: "encoding" field exists, new readObject() uses it 83 * (ignoring the other 2 fields) and inits correctly. 84 * 4. new -> old: old readObject() only recognizes "components" and 85 * "componentLen" fields. If no huge components are involved, they 86 * are serialized as legal values and old object can init correctly. 87 * Otherwise, old object cannot recognize the form (component not int[]) 88 * and throw a ClassNotFoundException at deserialization time. 89 * 90 * Therfore, for the first 3 cases, exact compatibility is preserved. In 91 * the 4th case, non-huge OID is still supportable in old versions, while 92 * huge OID is not. 93 */ 94 private static final long serialVersionUID = 8697030238860181294L; 95 96 /** 97 * Changed to Object 98 * @serial 99 */ 100 private Object components = null; // path from root 101 /** 102 * @serial 103 */ 104 private int componentLen = -1; // how much is used. 105 106 // Is the components field calculated? 107 transient private boolean componentsCalculated = false; 108 109 private void readObject(ObjectInputStream is) 110 throws IOException, ClassNotFoundException { 111 is.defaultReadObject(); 112 113 if (encoding == null) { // from an old version 114 int[] comp = (int[])components; 115 if (componentLen > comp.length) { 116 componentLen = comp.length; 117 } 118 init(comp, componentLen); 119 } 120 } 121 122 private void writeObject(ObjectOutputStream os) 123 throws IOException { 124 if (!componentsCalculated) { 125 int[] comps = toIntArray(); 126 if (comps != null) { // every one understands this 127 components = comps; 128 componentLen = comps.length; 129 } else { 130 components = HugeOidNotSupportedByOldJDK.theOne; 131 } 132 componentsCalculated = true; 133 } 134 os.defaultWriteObject(); 135 } 136 137 static class HugeOidNotSupportedByOldJDK implements Serializable { 138 private static final long serialVersionUID = 1L; 139 static HugeOidNotSupportedByOldJDK theOne = new HugeOidNotSupportedByOldJDK(); 140 } 141 142 /** 143 * Constructs, from a string. This string should be of the form 1.23.56. 144 * Validity check included. 145 */ 146 public ObjectIdentifier (String oid) throws IOException 147 { 148 int ch = '.'; 149 int start = 0; 150 int end = 0; 151 152 int pos = 0; 153 byte[] tmp = new byte[oid.length()]; 154 int first = 0, second; 155 int count = 0; 156 157 try { 158 String comp = null; 159 do { 160 int length = 0; // length of one section 161 end = oid.indexOf(ch,start); 162 if (end == -1) { 163 comp = oid.substring(start); 164 length = oid.length() - start; 165 } else { 166 comp = oid.substring(start,end); 167 length = end - start; 168 } 169 170 if (length > 9) { 171 BigInteger bignum = new BigInteger(comp); 172 if (count == 0) { 173 checkFirstComponent(bignum); 174 first = bignum.intValue(); 175 } else { 176 if (count == 1) { 177 checkSecondComponent(first, bignum); 178 bignum = bignum.add(BigInteger.valueOf(40*first)); 179 } else { 180 checkOtherComponent(count, bignum); 181 } 182 pos += pack7Oid(bignum, tmp, pos); 183 } 184 } else { 185 int num = Integer.parseInt(comp); 186 if (count == 0) { 187 checkFirstComponent(num); 188 first = num; 189 } else { 190 if (count == 1) { 191 checkSecondComponent(first, num); 192 num += 40 * first; 193 } else { 194 checkOtherComponent(count, num); 195 } 196 pos += pack7Oid(num, tmp, pos); 197 } 198 } 199 start = end + 1; 200 count++; 201 } while (end != -1); 202 203 checkCount(count); 204 encoding = new byte[pos]; 205 System.arraycopy(tmp, 0, encoding, 0, pos); 206 this.stringForm = oid; 207 } catch (IOException ioe) { // already detected by checkXXX 208 throw ioe; 209 } catch (Exception e) { 210 throw new IOException("ObjectIdentifier() -- Invalid format: " 211 + e.toString(), e); 212 } 213 } 214 215 /** 216 * Constructor, from an array of integers. 217 * Validity check included. 218 */ 219 public ObjectIdentifier (int values []) throws IOException 220 { 221 checkCount(values.length); 222 checkFirstComponent(values[0]); 223 checkSecondComponent(values[0], values[1]); 224 for (int i=2; i<values.length; i++) 225 checkOtherComponent(i, values[i]); 226 init(values, values.length); 227 } 228 229 /** 230 * Constructor, from an ASN.1 encoded input stream. 231 * Validity check NOT included. 232 * The encoding of the ID in the stream uses "DER", a BER/1 subset. 233 * In this case, that means a triple { typeId, length, data }. 234 * 235 * <P><STRONG>NOTE:</STRONG> When an exception is thrown, the 236 * input stream has not been returned to its "initial" state. 237 * 238 * @param in DER-encoded data holding an object ID 239 * @exception IOException indicates a decoding error 240 */ 241 public ObjectIdentifier (DerInputStream in) throws IOException 242 { 243 byte type_id; 244 int bufferEnd; 245 246 /* 247 * Object IDs are a "universal" type, and their tag needs only 248 * one byte of encoding. Verify that the tag of this datum 249 * is that of an object ID. 250 * 251 * Then get and check the length of the ID's encoding. We set 252 * up so that we can use in.available() to check for the end of 253 * this value in the data stream. 254 */ 255 type_id = (byte) in.getByte (); 256 if (type_id != DerValue.tag_ObjectId) 257 throw new IOException ( 258 "ObjectIdentifier() -- data isn't an object ID" 259 + " (tag = " + type_id + ")" 260 ); 261 262 int len = in.getLength(); 263 if (len > in.available()) { 264 throw new IOException("ObjectIdentifier() -- length exceeds" + 265 "data available. Length: " + len + ", Available: " + 266 in.available()); 267 } 268 encoding = new byte[len]; 269 in.getBytes(encoding); 270 check(encoding); 271 } 272 273 /* 274 * Constructor, from the rest of a DER input buffer; 275 * the tag and length have been removed/verified 276 * Validity check NOT included. 277 */ 278 ObjectIdentifier (DerInputBuffer buf) throws IOException 279 { 280 DerInputStream in = new DerInputStream(buf); 281 encoding = new byte[in.available()]; 282 in.getBytes(encoding); 283 check(encoding); 284 } 285 286 private void init(int[] components, int length) { 287 int pos = 0; 288 byte[] tmp = new byte[length*5+1]; // +1 for empty input 289 290 if (components[1] < Integer.MAX_VALUE - components[0]*40) 291 pos += pack7Oid(components[0]*40+components[1], tmp, pos); 292 else { 293 BigInteger big = BigInteger.valueOf(components[1]); 294 big = big.add(BigInteger.valueOf(components[0]*40)); 295 pos += pack7Oid(big, tmp, pos); 296 } 297 298 for (int i=2; i<length; i++) { 299 pos += pack7Oid(components[i], tmp, pos); 300 } 301 encoding = new byte[pos]; 302 System.arraycopy(tmp, 0, encoding, 0, pos); 303 } 304 305 /** 306 * This method is kept for compatibility reasons. The new implementation 307 * does the check and conversion. All around the JDK, the method is called 308 * in static blocks to initialize pre-defined ObjectIdentifieies. No 309 * obvious performance hurt will be made after this change. 310 * 311 * Old doc: Create a new ObjectIdentifier for internal use. The values are 312 * neither checked nor cloned. 313 */ 314 public static ObjectIdentifier newInternal(int[] values) { 315 try { 316 return new ObjectIdentifier(values); 317 } catch (IOException ex) { 318 throw new RuntimeException(ex); 319 // Should not happen, internal calls always uses legal values. 320 } 321 } 322 323 /* 324 * n.b. the only public interface is DerOutputStream.putOID() 325 */ 326 void encode (DerOutputStream out) throws IOException 327 { 328 out.write (DerValue.tag_ObjectId, encoding); 329 } 330 331 /** 332 * @deprecated Use equals((Object)oid) 333 */ 334 @Deprecated 335 public boolean equals(ObjectIdentifier other) { 336 return equals((Object)other); 337 } 338 339 /** 340 * Compares this identifier with another, for equality. 341 * 342 * @return true iff the names are identical. 343 */ 344 @Override 345 public boolean equals(Object obj) { 346 if (this == obj) { 347 return true; 348 } 349 if (obj instanceof ObjectIdentifier == false) { 350 return false; 351 } 352 ObjectIdentifier other = (ObjectIdentifier)obj; 353 return Arrays.equals(encoding, other.encoding); 354 } 355 356 @Override 357 public int hashCode() { 358 return Arrays.hashCode(encoding); 359 } 360 361 /** 362 * Private helper method for serialization. To be compatible with old 363 * versions of JDK. 364 * @return components in an int array, if all the components are less than 365 * Integer.MAX_VALUE. Otherwise, null. 366 */ 367 private int[] toIntArray() { 368 int length = encoding.length; 369 int[] result = new int[20]; 370 int which = 0; 371 int fromPos = 0; 372 for (int i = 0; i < length; i++) { 373 if ((encoding[i] & 0x80) == 0) { 374 // one section [fromPos..i] 375 if (i - fromPos + 1 > 4) { 376 BigInteger big = new BigInteger(pack(encoding, fromPos, i-fromPos+1, 7, 8)); 377 if (fromPos == 0) { 378 result[which++] = 2; 379 BigInteger second = big.subtract(BigInteger.valueOf(80)); 380 if (second.compareTo(BigInteger.valueOf(Integer.MAX_VALUE)) == 1) { 381 return null; 382 } else { 383 result[which++] = second.intValue(); 384 } 385 } else { 386 if (big.compareTo(BigInteger.valueOf(Integer.MAX_VALUE)) == 1) { 387 return null; 388 } else { 389 result[which++] = big.intValue(); 390 } 391 } 392 } else { 393 int retval = 0; 394 for (int j = fromPos; j <= i; j++) { 395 retval <<= 7; 396 byte tmp = encoding[j]; 397 retval |= (tmp & 0x07f); 398 } 399 if (fromPos == 0) { 400 if (retval < 80) { 401 result[which++] = retval / 40; 402 result[which++] = retval % 40; 403 } else { 404 result[which++] = 2; 405 result[which++] = retval - 80; 406 } 407 } else { 408 result[which++] = retval; 409 } 410 } 411 fromPos = i+1; 412 } 413 if (which >= result.length) { 414 result = Arrays.copyOf(result, which + 10); 415 } 416 } 417 return Arrays.copyOf(result, which); 418 } 419 420 /** 421 * Returns a string form of the object ID. The format is the 422 * conventional "dot" notation for such IDs, without any 423 * user-friendly descriptive strings, since those strings 424 * will not be understood everywhere. 425 */ 426 @Override 427 public String toString() { 428 String s = stringForm; 429 if (s == null) { 430 int length = encoding.length; 431 StringBuffer sb = new StringBuffer(length * 4); 432 433 int fromPos = 0; 434 for (int i = 0; i < length; i++) { 435 if ((encoding[i] & 0x80) == 0) { 436 // one section [fromPos..i] 437 if (fromPos != 0) { // not the first segment 438 sb.append('.'); 439 } 440 if (i - fromPos + 1 > 4) { // maybe big integer 441 BigInteger big = new BigInteger(pack(encoding, fromPos, i-fromPos+1, 7, 8)); 442 if (fromPos == 0) { 443 // first section encoded with more than 4 bytes, 444 // must be 2.something 445 sb.append("2."); 446 sb.append(big.subtract(BigInteger.valueOf(80))); 447 } else { 448 sb.append(big); 449 } 450 } else { // small integer 451 int retval = 0; 452 for (int j = fromPos; j <= i; j++) { 453 retval <<= 7; 454 byte tmp = encoding[j]; 455 retval |= (tmp & 0x07f); 456 } 457 if (fromPos == 0) { 458 if (retval < 80) { 459 sb.append(retval/40); 460 sb.append('.'); 461 sb.append(retval%40); 462 } else { 463 sb.append("2."); 464 sb.append(retval - 80); 465 } 466 } else { 467 sb.append(retval); 468 } 469 } 470 fromPos = i+1; 471 } 472 } 473 s = sb.toString(); 474 stringForm = s; 475 } 476 return s; 477 } 478 479 /** 480 * Repack all bits from input to output. On the both sides, only a portion 481 * (from the least significant bit) of the 8 bits in a byte is used. This 482 * number is defined as the number of useful bits (NUB) for the array. All the 483 * used bits from the input byte array and repacked into the output in the 484 * exactly same order. The output bits are aligned so that the final bit of 485 * the input (the least significant bit in the last byte), when repacked as 486 * the final bit of the output, is still at the least significant position. 487 * Zeroes will be padded on the left side of the first output byte if 488 * necessary. All unused bits in the output are also zeroed. 489 * 490 * For example: if the input is 01001100 with NUB 8, the output which 491 * has a NUB 6 will look like: 492 * 00000001 00001100 493 * The first 2 bits of the output bytes are unused bits. The other bits 494 * turn out to be 000001 001100. While the 8 bits on the right are from 495 * the input, the left 4 zeroes are padded to fill the 6 bits space. 496 * 497 * @param in the input byte array 498 * @param ioffset start point inside <code>in</code> 499 * @param ilength number of bytes to repack 500 * @param iw NUB for input 501 * @param ow NUB for output 502 * @return the repacked bytes 503 */ 504 private static byte[] pack(byte[] in, int ioffset, int ilength, int iw, int ow) { 505 assert (iw > 0 && iw <= 8): "input NUB must be between 1 and 8"; 506 assert (ow > 0 && ow <= 8): "output NUB must be between 1 and 8"; 507 508 if (iw == ow) { 509 return in.clone(); 510 } 511 512 int bits = ilength * iw; // number of all used bits 513 byte[] out = new byte[(bits+ow-1)/ow]; 514 515 // starting from the 0th bit in the input 516 int ipos = 0; 517 518 // the number of padding 0's needed in the output, skip them 519 int opos = (bits+ow-1)/ow*ow-bits; 520 521 while(ipos < bits) { 522 int count = iw - ipos%iw; // unpacked bits in current input byte 523 if (count > ow - opos%ow) { // free space available in output byte 524 count = ow - opos%ow; // choose the smaller number 525 } 526 // and move them! 527 out[opos/ow] |= // paste! 528 (((in[ioffset+ipos/iw]+256) // locate the byte (+256 so that it's never negative) 529 >> (iw-ipos%iw-count)) // move to the end of a byte 530 & ((1 << (count))-1)) // zero out all other bits 531 << (ow-opos%ow-count); // move to the output position 532 ipos += count; // advance 533 opos += count; // advance 534 } 535 return out; 536 } 537 538 /** 539 * Repack from NUB 8 to a NUB 7 OID sub-identifier, remove all 540 * unnecessary 0 headings, set the first bit of all non-tail 541 * output bytes to 1 (as ITU-T Rec. X.690 8.19.2 says), and 542 * paste it into an existing byte array. 543 * @param out the existing array to be pasted into 544 * @param ooffset the starting position to paste 545 * @return the number of bytes pasted 546 */ 547 private static int pack7Oid(byte[] in, int ioffset, int ilength, byte[] out, int ooffset) { 548 byte[] pack = pack(in, ioffset, ilength, 8, 7); 549 int firstNonZero = pack.length-1; // paste at least one byte 550 for (int i=pack.length-2; i>=0; i--) { 551 if (pack[i] != 0) { 552 firstNonZero = i; 553 } 554 pack[i] |= 0x80; 555 } 556 System.arraycopy(pack, firstNonZero, out, ooffset, pack.length-firstNonZero); 557 return pack.length-firstNonZero; 558 } 559 560 /** 561 * Repack from NUB 7 to NUB 8, remove all unnecessary 0 562 * headings, and paste it into an existing byte array. 563 * @param out the existing array to be pasted into 564 * @param ooffset the starting position to paste 565 * @return the number of bytes pasted 566 */ 567 private static int pack8(byte[] in, int ioffset, int ilength, byte[] out, int ooffset) { 568 byte[] pack = pack(in, ioffset, ilength, 7, 8); 569 int firstNonZero = pack.length-1; // paste at least one byte 570 for (int i=pack.length-2; i>=0; i--) { 571 if (pack[i] != 0) { 572 firstNonZero = i; 573 } 574 } 575 System.arraycopy(pack, firstNonZero, out, ooffset, pack.length-firstNonZero); 576 return pack.length-firstNonZero; 577 } 578 579 /** 580 * Pack the int into a OID sub-identifier DER encoding 581 */ 582 private static int pack7Oid(int input, byte[] out, int ooffset) { 583 byte[] b = new byte[4]; 584 b[0] = (byte)(input >> 24); 585 b[1] = (byte)(input >> 16); 586 b[2] = (byte)(input >> 8); 587 b[3] = (byte)(input); 588 return pack7Oid(b, 0, 4, out, ooffset); 589 } 590 591 /** 592 * Pack the BigInteger into a OID subidentifier DER encoding 593 */ 594 private static int pack7Oid(BigInteger input, byte[] out, int ooffset) { 595 byte[] b = input.toByteArray(); 596 return pack7Oid(b, 0, b.length, out, ooffset); 597 } 598 599 /** 600 * Private methods to check validity of OID. They must be -- 601 * 1. at least 2 components 602 * 2. all components must be non-negative 603 * 3. the first must be 0, 1 or 2 604 * 4. if the first is 0 or 1, the second must be <40 605 */ 606 607 /** 608 * Check the DER encoding. Since DER encoding defines that the integer bits 609 * are unsigned, so there's no need to check the MSB. 610 */ 611 private static void check(byte[] encoding) throws IOException { 612 int length = encoding.length; 613 if (length < 1 || // too short 614 (encoding[length - 1] & 0x80) != 0) { // not ended 615 throw new IOException("ObjectIdentifier() -- " + 616 "Invalid DER encoding, not ended"); 617 } 618 for (int i=0; i<length; i++) { 619 // 0x80 at the beginning of a subidentifier 620 if (encoding[i] == (byte)0x80 && 621 (i==0 || (encoding[i-1] & 0x80) == 0)) { 622 throw new IOException("ObjectIdentifier() -- " + 623 "Invalid DER encoding, useless extra octet detected"); 624 } 625 } 626 } 627 private static void checkCount(int count) throws IOException { 628 if (count < 2) { 629 throw new IOException("ObjectIdentifier() -- " + 630 "Must be at least two oid components "); 631 } 632 } 633 private static void checkFirstComponent(int first) throws IOException { 634 if (first < 0 || first > 2) { 635 throw new IOException("ObjectIdentifier() -- " + 636 "First oid component is invalid "); 637 } 638 } 639 private static void checkFirstComponent(BigInteger first) throws IOException { 640 if (first.signum() == -1 || 641 first.compareTo(BigInteger.valueOf(2)) == 1) { 642 throw new IOException("ObjectIdentifier() -- " + 643 "First oid component is invalid "); 644 } 645 } 646 private static void checkSecondComponent(int first, int second) throws IOException { 647 if (second < 0 || first != 2 && second > 39) { 648 throw new IOException("ObjectIdentifier() -- " + 649 "Second oid component is invalid "); 650 } 651 } 652 private static void checkSecondComponent(int first, BigInteger second) throws IOException { 653 if (second.signum() == -1 || 654 first != 2 && 655 second.compareTo(BigInteger.valueOf(39)) == 1) { 656 throw new IOException("ObjectIdentifier() -- " + 657 "Second oid component is invalid "); 658 } 659 } 660 private static void checkOtherComponent(int i, int num) throws IOException { 661 if (num < 0) { 662 throw new IOException("ObjectIdentifier() -- " + 663 "oid component #" + (i+1) + " must be non-negative "); 664 } 665 } 666 private static void checkOtherComponent(int i, BigInteger num) throws IOException { 667 if (num.signum() == -1) { 668 throw new IOException("ObjectIdentifier() -- " + 669 "oid component #" + (i+1) + " must be non-negative "); 670 } 671 } 672 }