1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.spec.AlgorithmParameterSpec;
38 import java.security.cert.*;
39 import java.security.cert.Certificate;
40 import java.util.*;
41 import java.util.concurrent.ConcurrentHashMap;
42
43 import javax.security.auth.x500.X500Principal;
44
45 import sun.security.util.*;
46 import sun.security.provider.X509Factory;
47
48 /**
49 * The X509CertImpl class represents an X.509 certificate. These certificates
50 * are widely used to support authentication and other functionality in
51 * Internet security systems. Common applications include Privacy Enhanced
52 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
53 * software distribution, and Secure Electronic Transactions (SET). There
54 * is a commercial infrastructure ready to manage large scale deployments
55 * of X.509 identity certificates.
56 *
57 * <P>These certificates are managed and vouched for by <em>Certificate
58 * Authorities</em> (CAs). CAs are services which create certificates by
59 * placing data in the X.509 standard format and then digitally signing
60 * that data. Such signatures are quite difficult to forge. CAs act as
61 * trusted third parties, making introductions between agents who have no
62 * direct knowledge of each other. CA certificates are either signed by
63 * themselves, or by some other CA such as a "root" CA.
64 *
65 * <P>RFC 1422 is very informative, though it does not describe much
66 * of the recent work being done with X.509 certificates. That includes
67 * a 1996 version (X.509v3) and a variety of enhancements being made to
68 * facilitate an explosion of personal certificates used as "Internet
69 * Drivers' Licences", or with SET for credit card transactions.
70 *
71 * <P>More recent work includes the IETF PKIX Working Group efforts,
72 * especially RFC2459.
73 *
74 * @author Dave Brownell
75 * @author Amit Kapoor
76 * @author Hemma Prafullchandra
77 * @see X509CertInfo
78 */
79 public class X509CertImpl extends X509Certificate implements DerEncoder {
80
81 private static final long serialVersionUID = -3457612960190864406L;
82
83 private static final char DOT = '.';
84 /**
85 * Public attribute names.
86 */
87 public static final String NAME = "x509";
88 public static final String INFO = X509CertInfo.NAME;
89 public static final String ALG_ID = "algorithm";
90 public static final String SIGNATURE = "signature";
91 public static final String SIGNED_CERT = "signed_cert";
92
93 /**
94 * The following are defined for ease-of-use. These
95 * are the most frequently retrieved attributes.
96 */
97 // x509.info.subject.dname
98 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
99 X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME;
100 // x509.info.issuer.dname
101 public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
102 X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME;
103 // x509.info.serialNumber.number
104 public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
105 X509CertInfo.SERIAL_NUMBER + DOT +
106 CertificateSerialNumber.NUMBER;
107 // x509.info.key.value
108 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
109 X509CertInfo.KEY + DOT +
110 CertificateX509Key.KEY;
111
112 // x509.info.version.value
113 public static final String VERSION = NAME + DOT + INFO + DOT +
114 X509CertInfo.VERSION + DOT +
115 CertificateVersion.VERSION;
116
117 // x509.algorithm
118 public static final String SIG_ALG = NAME + DOT + ALG_ID;
119
120 // x509.signature
121 public static final String SIG = NAME + DOT + SIGNATURE;
122
123 // when we sign and decode we set this to true
124 // this is our means to make certificates immutable
125 private boolean readOnly = false;
126
127 // Certificate data, and its envelope
128 private byte[] signedCert = null;
129 protected X509CertInfo info = null;
130 protected AlgorithmId algId = null;
131 protected byte[] signature = null;
132
133 // recognized extension OIDS
134 private static final String KEY_USAGE_OID = "2.5.29.15";
135 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
136 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
137 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
138 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
139 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
140
141 // number of standard key usage bits.
142 private static final int NUM_STANDARD_KEY_USAGE = 9;
143
144 // SubjectAlterntativeNames cache
145 private Collection<List<?>> subjectAlternativeNames;
146
147 // IssuerAlternativeNames cache
148 private Collection<List<?>> issuerAlternativeNames;
149
150 // ExtendedKeyUsage cache
151 private List<String> extKeyUsage;
152
153 // AuthorityInformationAccess cache
154 private Set<AccessDescription> authInfoAccess;
155
156 /**
157 * PublicKey that has previously been used to verify
158 * the signature of this certificate. Null if the certificate has not
159 * yet been verified.
160 */
161 private PublicKey verifiedPublicKey;
162 /**
163 * If verifiedPublicKey is not null, name of the provider used to
164 * successfully verify the signature of this certificate, or the
165 * empty String if no provider was explicitly specified.
166 */
167 private String verifiedProvider;
168 /**
169 * If verifiedPublicKey is not null, result of the verification using
170 * verifiedPublicKey and verifiedProvider. If true, verification was
171 * successful, if false, it failed.
172 */
173 private boolean verificationResult;
174
175 /**
176 * Default constructor.
177 */
178 public X509CertImpl() { }
179
180 /**
181 * Unmarshals a certificate from its encoded form, parsing the
182 * encoded bytes. This form of constructor is used by agents which
183 * need to examine and use certificate contents. That is, this is
184 * one of the more commonly used constructors. Note that the buffer
185 * must include only a certificate, and no "garbage" may be left at
186 * the end. If you need to ignore data at the end of a certificate,
187 * use another constructor.
188 *
189 * @param certData the encoded bytes, with no trailing padding.
190 * @exception CertificateException on parsing and initialization errors.
191 */
192 public X509CertImpl(byte[] certData) throws CertificateException {
193 try {
194 parse(new DerValue(certData));
195 } catch (IOException e) {
196 signedCert = null;
197 throw new CertificateException("Unable to initialize, " + e, e);
198 }
199 }
200
201 /**
202 * unmarshals an X.509 certificate from an input stream. If the
203 * certificate is RFC1421 hex-encoded, then it must begin with
204 * the line X509Factory.BEGIN_CERT and end with the line
205 * X509Factory.END_CERT.
206 *
207 * @param in an input stream holding at least one certificate that may
208 * be either DER-encoded or RFC1421 hex-encoded version of the
209 * DER-encoded certificate.
210 * @exception CertificateException on parsing and initialization errors.
211 */
212 public X509CertImpl(InputStream in) throws CertificateException {
213
214 DerValue der = null;
215
216 BufferedInputStream inBuffered = new BufferedInputStream(in);
217
218 // First try reading stream as HEX-encoded DER-encoded bytes,
219 // since not mistakable for raw DER
220 try {
221 inBuffered.mark(Integer.MAX_VALUE);
222 der = readRFC1421Cert(inBuffered);
223 } catch (IOException ioe) {
224 try {
225 // Next, try reading stream as raw DER-encoded bytes
226 inBuffered.reset();
227 der = new DerValue(inBuffered);
228 } catch (IOException ioe1) {
229 throw new CertificateException("Input stream must be " +
230 "either DER-encoded bytes " +
231 "or RFC1421 hex-encoded " +
232 "DER-encoded bytes: " +
233 ioe1.getMessage(), ioe1);
234 }
235 }
236 try {
237 parse(der);
238 } catch (IOException ioe) {
239 signedCert = null;
240 throw new CertificateException("Unable to parse DER value of " +
241 "certificate, " + ioe, ioe);
242 }
243 }
244
245 /**
246 * read input stream as HEX-encoded DER-encoded bytes
247 *
248 * @param in InputStream to read
249 * @return DerValue corresponding to decoded HEX-encoded bytes
250 * @throws IOException if stream can not be interpreted as RFC1421
251 * encoded bytes
252 */
253 private DerValue readRFC1421Cert(InputStream in) throws IOException {
254 DerValue der = null;
255 String line = null;
256 BufferedReader certBufferedReader =
257 new BufferedReader(new InputStreamReader(in, "ASCII"));
258 try {
259 line = certBufferedReader.readLine();
260 } catch (IOException ioe1) {
261 throw new IOException("Unable to read InputStream: " +
262 ioe1.getMessage());
263 }
264 if (line.equals(X509Factory.BEGIN_CERT)) {
265 /* stream appears to be hex-encoded bytes */
266 ByteArrayOutputStream decstream = new ByteArrayOutputStream();
267 try {
268 while ((line = certBufferedReader.readLine()) != null) {
269 if (line.equals(X509Factory.END_CERT)) {
270 der = new DerValue(decstream.toByteArray());
271 break;
272 } else {
273 decstream.write(Pem.decode(line));
274 }
275 }
276 } catch (IOException ioe2) {
277 throw new IOException("Unable to read InputStream: "
278 + ioe2.getMessage());
279 }
280 } else {
281 throw new IOException("InputStream is not RFC1421 hex-encoded " +
282 "DER bytes");
283 }
284 return der;
285 }
286
287 /**
288 * Construct an initialized X509 Certificate. The certificate is stored
289 * in raw form and has to be signed to be useful.
290 *
291 * @param certInfo the X509CertificateInfo which the Certificate is to be
292 * created from.
293 */
294 public X509CertImpl(X509CertInfo certInfo) {
295 this.info = certInfo;
296 }
297
298 /**
299 * Unmarshal a certificate from its encoded form, parsing a DER value.
300 * This form of constructor is used by agents which need to examine
301 * and use certificate contents.
302 *
303 * @param derVal the der value containing the encoded cert.
304 * @exception CertificateException on parsing and initialization errors.
305 */
306 public X509CertImpl(DerValue derVal) throws CertificateException {
307 try {
308 parse(derVal);
309 } catch (IOException e) {
310 signedCert = null;
311 throw new CertificateException("Unable to initialize, " + e, e);
312 }
313 }
314
315 /**
316 * Appends the certificate to an output stream.
317 *
318 * @param out an input stream to which the certificate is appended.
319 * @exception CertificateEncodingException on encoding errors.
320 */
321 public void encode(OutputStream out)
322 throws CertificateEncodingException {
323 if (signedCert == null)
324 throw new CertificateEncodingException(
325 "Null certificate to encode");
326 try {
327 out.write(signedCert.clone());
328 } catch (IOException e) {
329 throw new CertificateEncodingException(e.toString());
330 }
331 }
332
333 /**
334 * DER encode this object onto an output stream.
335 * Implements the <code>DerEncoder</code> interface.
336 *
337 * @param out the output stream on which to write the DER encoding.
338 *
339 * @exception IOException on encoding error.
340 */
341 public void derEncode(OutputStream out) throws IOException {
342 if (signedCert == null)
343 throw new IOException("Null certificate to encode");
344 out.write(signedCert.clone());
345 }
346
347 /**
348 * Returns the encoded form of this certificate. It is
349 * assumed that each certificate type would have only a single
350 * form of encoding; for example, X.509 certificates would
351 * be encoded as ASN.1 DER.
352 *
353 * @exception CertificateEncodingException if an encoding error occurs.
354 */
355 public byte[] getEncoded() throws CertificateEncodingException {
356 return getEncodedInternal().clone();
357 }
358
359 /**
360 * Returned the encoding as an uncloned byte array. Callers must
361 * guarantee that they neither modify it nor expose it to untrusted
362 * code.
363 */
364 public byte[] getEncodedInternal() throws CertificateEncodingException {
365 if (signedCert == null) {
366 throw new CertificateEncodingException(
367 "Null certificate to encode");
368 }
369 return signedCert;
370 }
371
372 /**
373 * Throws an exception if the certificate was not signed using the
374 * verification key provided. Successfully verifying a certificate
375 * does <em>not</em> indicate that one should trust the entity which
376 * it represents.
377 *
378 * @param key the public key used for verification.
379 *
380 * @exception InvalidKeyException on incorrect key.
381 * @exception NoSuchAlgorithmException on unsupported signature
382 * algorithms.
383 * @exception NoSuchProviderException if there's no default provider.
384 * @exception SignatureException on signature errors.
385 * @exception CertificateException on encoding errors.
386 */
387 public void verify(PublicKey key)
388 throws CertificateException, NoSuchAlgorithmException,
389 InvalidKeyException, NoSuchProviderException, SignatureException {
390 verify(key, "");
391 }
392
393 /**
394 * Throws an exception if the certificate was not signed using the
395 * verification key provided. Successfully verifying a certificate
396 * does <em>not</em> indicate that one should trust the entity which
397 * it represents.
398 *
399 * @param key the public key used for verification.
400 * @param sigProvider the name of the provider.
401 *
402 * @exception NoSuchAlgorithmException on unsupported signature
403 * algorithms.
404 * @exception InvalidKeyException on incorrect key.
405 * @exception NoSuchProviderException on incorrect provider.
406 * @exception SignatureException on signature errors.
407 * @exception CertificateException on encoding errors.
408 */
409 public synchronized void verify(PublicKey key, String sigProvider)
410 throws CertificateException, NoSuchAlgorithmException,
411 InvalidKeyException, NoSuchProviderException, SignatureException {
412 if (sigProvider == null) {
413 sigProvider = "";
414 }
415 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
416 // this certificate has already been verified using
417 // this public key. Make sure providers match, too.
418 if (sigProvider.equals(verifiedProvider)) {
419 if (verificationResult) {
420 return;
421 } else {
422 throw new SignatureException("Signature does not match.");
423 }
424 }
425 }
426 if (signedCert == null) {
427 throw new CertificateEncodingException("Uninitialized certificate");
428 }
429 // Verify the signature ...
430 Signature sigVerf = null;
431 if (sigProvider.isEmpty()) {
432 sigVerf = Signature.getInstance(algId.getName());
433 } else {
434 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
435 }
436
437 sigVerf.initVerify(key);
438
439 // set parameters after Signature.initSign/initVerify call,
440 // so the deferred provider selection happens when key is set
441 try {
442 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
443 } catch (ProviderException e) {
444 throw new CertificateException(e.getMessage(), e.getCause());
445 } catch (InvalidAlgorithmParameterException e) {
446 throw new CertificateException(e);
447 }
448
449 byte[] rawCert = info.getEncodedInfo();
450 sigVerf.update(rawCert, 0, rawCert.length);
451
452 // verify may throw SignatureException for invalid encodings, etc.
453 verificationResult = sigVerf.verify(signature);
454 verifiedPublicKey = key;
455 verifiedProvider = sigProvider;
456
457 if (verificationResult == false) {
458 throw new SignatureException("Signature does not match.");
459 }
460 }
461
462 /**
463 * Throws an exception if the certificate was not signed using the
464 * verification key provided. This method uses the signature verification
465 * engine supplied by the specified provider. Note that the specified
466 * Provider object does not have to be registered in the provider list.
467 * Successfully verifying a certificate does <em>not</em> indicate that one
468 * should trust the entity which it represents.
469 *
470 * @param key the public key used for verification.
471 * @param sigProvider the provider.
472 *
473 * @exception NoSuchAlgorithmException on unsupported signature
474 * algorithms.
475 * @exception InvalidKeyException on incorrect key.
476 * @exception SignatureException on signature errors.
477 * @exception CertificateException on encoding errors.
478 */
479 public synchronized void verify(PublicKey key, Provider sigProvider)
480 throws CertificateException, NoSuchAlgorithmException,
481 InvalidKeyException, SignatureException {
482 if (signedCert == null) {
483 throw new CertificateEncodingException("Uninitialized certificate");
484 }
485 // Verify the signature ...
486 Signature sigVerf = null;
487 if (sigProvider == null) {
488 sigVerf = Signature.getInstance(algId.getName());
489 } else {
490 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
491 }
492
493 sigVerf.initVerify(key);
494
495 // set parameters after Signature.initSign/initVerify call,
496 // so the deferred provider selection happens when key is set
497 try {
498 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
499 } catch (ProviderException e) {
500 throw new CertificateException(e.getMessage(), e.getCause());
501 } catch (InvalidAlgorithmParameterException e) {
502 throw new CertificateException(e);
503 }
504
505 byte[] rawCert = info.getEncodedInfo();
506 sigVerf.update(rawCert, 0, rawCert.length);
507
508 // verify may throw SignatureException for invalid encodings, etc.
509 verificationResult = sigVerf.verify(signature);
510 verifiedPublicKey = key;
511
512 if (verificationResult == false) {
513 throw new SignatureException("Signature does not match.");
514 }
515 }
516
517 /**
518 * Creates an X.509 certificate, and signs it using the given key
519 * (associating a signature algorithm and an X.500 name).
520 * This operation is used to implement the certificate generation
521 * functionality of a certificate authority.
522 *
523 * @param key the private key used for signing.
524 * @param algorithm the name of the signature algorithm used.
525 *
526 * @exception InvalidKeyException on incorrect key.
527 * @exception NoSuchAlgorithmException on unsupported signature
528 * algorithms.
529 * @exception NoSuchProviderException if there's no default provider.
530 * @exception SignatureException on signature errors.
531 * @exception CertificateException on encoding errors.
532 */
533 public void sign(PrivateKey key, String algorithm)
534 throws CertificateException, NoSuchAlgorithmException,
535 InvalidKeyException, NoSuchProviderException, SignatureException {
536 sign(key, algorithm, null);
537 }
538
539 /**
540 * Creates an X.509 certificate, and signs it using the given key
541 * (associating a signature algorithm and an X.500 name).
542 * This operation is used to implement the certificate generation
543 * functionality of a certificate authority.
544 *
545 * @param key the private key used for signing.
546 * @param algorithm the name of the signature algorithm used.
547 * @param provider the name of the provider.
548 *
549 * @exception NoSuchAlgorithmException on unsupported signature
550 * algorithms.
551 * @exception InvalidKeyException on incorrect key.
552 * @exception NoSuchProviderException on incorrect provider.
553 * @exception SignatureException on signature errors.
554 * @exception CertificateException on encoding errors.
555 */
556 public void sign(PrivateKey key, String algorithm, String provider)
557 throws CertificateException, NoSuchAlgorithmException,
558 InvalidKeyException, NoSuchProviderException, SignatureException {
559 try {
560 sign(key, null, algorithm, provider);
561 } catch (InvalidAlgorithmParameterException e) {
562 // should not happen; re-throw just in case
563 throw new SignatureException(e);
564 }
565 }
566
567 /**
568 * Creates an X.509 certificate, and signs it using the given key
569 * (associating a signature algorithm and an X.500 name), signature
570 * parameters, and security provider. If the given provider name
571 * is null or empty, the implementation look up will be based on
572 * provider configurations.
573 * This operation is used to implement the certificate generation
574 * functionality of a certificate authority.
575 *
576 * @param key the private key used for signing
577 * @param signingParams the parameters used for signing
578 * @param algorithm the name of the signature algorithm used
579 * @param provider the name of the provider, may be null
580 *
581 * @exception NoSuchAlgorithmException on unsupported signature
582 * algorithms
583 * @exception InvalidKeyException on incorrect key
584 * @exception InvalidAlgorithmParameterException on invalid signature
585 * parameters
586 * @exception NoSuchProviderException on incorrect provider
587 * @exception SignatureException on signature errors
588 * @exception CertificateException on encoding errors
589 */
590 public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
591 String algorithm, String provider)
592 throws CertificateException, NoSuchAlgorithmException,
593 InvalidKeyException, InvalidAlgorithmParameterException,
594 NoSuchProviderException, SignatureException {
595 try {
596 if (readOnly)
597 throw new CertificateEncodingException(
598 "cannot over-write existing certificate");
599 Signature sigEngine = null;
600 if (provider == null || provider.isEmpty())
601 sigEngine = Signature.getInstance(algorithm);
602 else
603 sigEngine = Signature.getInstance(algorithm, provider);
604
605 sigEngine.initSign(key);
606
607 if (signingParams != null) {
608 // set parameters after Signature.initSign/initVerify call, so
609 // the deferred provider selection happens when the key is set
610 sigEngine.setParameter(signingParams);
611 }
612
613 // in case the name is reset
614 if (signingParams != null) {
615 algId = AlgorithmId.get(sigEngine.getParameters());
616 } else {
617 algId = AlgorithmId.get(algorithm);
618 }
619 DerOutputStream out = new DerOutputStream();
620 DerOutputStream tmp = new DerOutputStream();
621
622 // encode certificate info
623 info.encode(tmp);
624 byte[] rawCert = tmp.toByteArray();
625
626 // encode algorithm identifier
627 algId.encode(tmp);
628
629 // Create and encode the signature itself.
630 sigEngine.update(rawCert, 0, rawCert.length);
631 signature = sigEngine.sign();
632 tmp.putBitString(signature);
633
634 // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
635 out.write(DerValue.tag_Sequence, tmp);
636 signedCert = out.toByteArray();
637 readOnly = true;
638
639 } catch (IOException e) {
640 throw new CertificateEncodingException(e.toString());
641 }
642 }
643
644 /**
645 * Checks that the certificate is currently valid, i.e. the current
646 * time is within the specified validity period.
647 *
648 * @exception CertificateExpiredException if the certificate has expired.
649 * @exception CertificateNotYetValidException if the certificate is not
650 * yet valid.
651 */
652 public void checkValidity()
653 throws CertificateExpiredException, CertificateNotYetValidException {
654 Date date = new Date();
655 checkValidity(date);
656 }
657
658 /**
659 * Checks that the specified date is within the certificate's
660 * validity period, or basically if the certificate would be
661 * valid at the specified date/time.
662 *
663 * @param date the Date to check against to see if this certificate
664 * is valid at that date/time.
665 *
666 * @exception CertificateExpiredException if the certificate has expired
667 * with respect to the <code>date</code> supplied.
668 * @exception CertificateNotYetValidException if the certificate is not
669 * yet valid with respect to the <code>date</code> supplied.
670 */
671 public void checkValidity(Date date)
672 throws CertificateExpiredException, CertificateNotYetValidException {
673
674 CertificateValidity interval = null;
675 try {
676 interval = (CertificateValidity)info.get(CertificateValidity.NAME);
677 } catch (Exception e) {
678 throw new CertificateNotYetValidException("Incorrect validity period");
679 }
680 if (interval == null)
681 throw new CertificateNotYetValidException("Null validity period");
682 interval.valid(date);
683 }
684
685 /**
686 * Return the requested attribute from the certificate.
687 *
688 * Note that the X509CertInfo is not cloned for performance reasons.
689 * Callers must ensure that they do not modify it. All other
690 * attributes are cloned.
691 *
692 * @param name the name of the attribute.
693 * @exception CertificateParsingException on invalid attribute identifier.
694 */
695 public Object get(String name)
696 throws CertificateParsingException {
697 X509AttributeName attr = new X509AttributeName(name);
698 String id = attr.getPrefix();
699 if (!(id.equalsIgnoreCase(NAME))) {
700 throw new CertificateParsingException("Invalid root of "
701 + "attribute name, expected [" + NAME +
702 "], received " + "[" + id + "]");
703 }
704 attr = new X509AttributeName(attr.getSuffix());
705 id = attr.getPrefix();
706
707 if (id.equalsIgnoreCase(INFO)) {
708 if (info == null) {
709 return null;
710 }
711 if (attr.getSuffix() != null) {
712 try {
713 return info.get(attr.getSuffix());
714 } catch (IOException e) {
715 throw new CertificateParsingException(e.toString());
716 } catch (CertificateException e) {
717 throw new CertificateParsingException(e.toString());
718 }
719 } else {
720 return info;
721 }
722 } else if (id.equalsIgnoreCase(ALG_ID)) {
723 return(algId);
724 } else if (id.equalsIgnoreCase(SIGNATURE)) {
725 if (signature != null)
726 return signature.clone();
727 else
728 return null;
729 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
730 if (signedCert != null)
731 return signedCert.clone();
732 else
733 return null;
734 } else {
735 throw new CertificateParsingException("Attribute name not "
736 + "recognized or get() not allowed for the same: " + id);
737 }
738 }
739
740 /**
741 * Set the requested attribute in the certificate.
742 *
743 * @param name the name of the attribute.
744 * @param obj the value of the attribute.
745 * @exception CertificateException on invalid attribute identifier.
746 * @exception IOException on encoding error of attribute.
747 */
748 public void set(String name, Object obj)
749 throws CertificateException, IOException {
750 // check if immutable
751 if (readOnly)
752 throw new CertificateException("cannot over-write existing"
753 + " certificate");
754
755 X509AttributeName attr = new X509AttributeName(name);
756 String id = attr.getPrefix();
757 if (!(id.equalsIgnoreCase(NAME))) {
758 throw new CertificateException("Invalid root of attribute name,"
759 + " expected [" + NAME + "], received " + id);
760 }
761 attr = new X509AttributeName(attr.getSuffix());
762 id = attr.getPrefix();
763
764 if (id.equalsIgnoreCase(INFO)) {
765 if (attr.getSuffix() == null) {
766 if (!(obj instanceof X509CertInfo)) {
767 throw new CertificateException("Attribute value should"
768 + " be of type X509CertInfo.");
769 }
770 info = (X509CertInfo)obj;
771 signedCert = null; //reset this as certificate data has changed
772 } else {
773 info.set(attr.getSuffix(), obj);
774 signedCert = null; //reset this as certificate data has changed
775 }
776 } else {
777 throw new CertificateException("Attribute name not recognized or " +
778 "set() not allowed for the same: " + id);
779 }
780 }
781
782 /**
783 * Delete the requested attribute from the certificate.
784 *
785 * @param name the name of the attribute.
786 * @exception CertificateException on invalid attribute identifier.
787 * @exception IOException on other errors.
788 */
789 public void delete(String name)
790 throws CertificateException, IOException {
791 // check if immutable
792 if (readOnly)
793 throw new CertificateException("cannot over-write existing"
794 + " certificate");
795
796 X509AttributeName attr = new X509AttributeName(name);
797 String id = attr.getPrefix();
798 if (!(id.equalsIgnoreCase(NAME))) {
799 throw new CertificateException("Invalid root of attribute name,"
800 + " expected ["
801 + NAME + "], received " + id);
802 }
803 attr = new X509AttributeName(attr.getSuffix());
804 id = attr.getPrefix();
805
806 if (id.equalsIgnoreCase(INFO)) {
807 if (attr.getSuffix() != null) {
808 info = null;
809 } else {
810 info.delete(attr.getSuffix());
811 }
812 } else if (id.equalsIgnoreCase(ALG_ID)) {
813 algId = null;
814 } else if (id.equalsIgnoreCase(SIGNATURE)) {
815 signature = null;
816 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
817 signedCert = null;
818 } else {
819 throw new CertificateException("Attribute name not recognized or " +
820 "delete() not allowed for the same: " + id);
821 }
822 }
823
824 /**
825 * Return an enumeration of names of attributes existing within this
826 * attribute.
827 */
828 public Enumeration<String> getElements() {
829 AttributeNameEnumeration elements = new AttributeNameEnumeration();
830 elements.addElement(NAME + DOT + INFO);
831 elements.addElement(NAME + DOT + ALG_ID);
832 elements.addElement(NAME + DOT + SIGNATURE);
833 elements.addElement(NAME + DOT + SIGNED_CERT);
834
835 return elements.elements();
836 }
837
838 /**
839 * Return the name of this attribute.
840 */
841 public String getName() {
842 return(NAME);
843 }
844
845 /**
846 * Returns a printable representation of the certificate. This does not
847 * contain all the information available to distinguish this from any
848 * other certificate. The certificate must be fully constructed
849 * before this function may be called.
850 */
851 public String toString() {
852 if (info == null || algId == null || signature == null)
853 return "";
854
855 HexDumpEncoder encoder = new HexDumpEncoder();
856 return "[\n" + info + '\n' +
857 " Algorithm: [" + algId + "]\n" +
858 " Signature:\n" + encoder.encodeBuffer(signature) + "\n]";
859 }
860
861 // the strongly typed gets, as per java.security.cert.X509Certificate
862
863 /**
864 * Gets the publickey from this certificate.
865 *
866 * @return the publickey.
867 */
868 public PublicKey getPublicKey() {
869 if (info == null)
870 return null;
871 try {
872 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
873 + DOT + CertificateX509Key.KEY);
874 return key;
875 } catch (Exception e) {
876 return null;
877 }
878 }
879
880 /**
881 * Gets the version number from the certificate.
882 *
883 * @return the version number, i.e. 1, 2 or 3.
884 */
885 public int getVersion() {
886 if (info == null)
887 return -1;
888 try {
889 int vers = ((Integer)info.get(CertificateVersion.NAME
890 + DOT + CertificateVersion.VERSION)).intValue();
891 return vers+1;
892 } catch (Exception e) {
893 return -1;
894 }
895 }
896
897 /**
898 * Gets the serial number from the certificate.
899 *
900 * @return the serial number.
901 */
902 public BigInteger getSerialNumber() {
903 SerialNumber ser = getSerialNumberObject();
904
905 return ser != null ? ser.getNumber() : null;
906 }
907
908 /**
909 * Gets the serial number from the certificate as
910 * a SerialNumber object.
911 *
912 * @return the serial number.
913 */
914 public SerialNumber getSerialNumberObject() {
915 if (info == null)
916 return null;
917 try {
918 SerialNumber ser = (SerialNumber)info.get(
919 CertificateSerialNumber.NAME + DOT +
920 CertificateSerialNumber.NUMBER);
921 return ser;
922 } catch (Exception e) {
923 return null;
924 }
925 }
926
927
928 /**
929 * Gets the subject distinguished name from the certificate.
930 *
931 * @return the subject name.
932 */
933 public Principal getSubjectDN() {
934 if (info == null)
935 return null;
936 try {
937 Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT +
938 X509CertInfo.DN_NAME);
939 return subject;
940 } catch (Exception e) {
941 return null;
942 }
943 }
944
945 /**
946 * Get subject name as X500Principal. Overrides implementation in
947 * X509Certificate with a slightly more efficient version that is
948 * also aware of X509CertImpl mutability.
949 */
950 public X500Principal getSubjectX500Principal() {
951 if (info == null) {
952 return null;
953 }
954 try {
955 X500Principal subject = (X500Principal)info.get(
956 X509CertInfo.SUBJECT + DOT +
957 "x500principal");
958 return subject;
959 } catch (Exception e) {
960 return null;
961 }
962 }
963
964 /**
965 * Gets the issuer distinguished name from the certificate.
966 *
967 * @return the issuer name.
968 */
969 public Principal getIssuerDN() {
970 if (info == null)
971 return null;
972 try {
973 Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT +
974 X509CertInfo.DN_NAME);
975 return issuer;
976 } catch (Exception e) {
977 return null;
978 }
979 }
980
981 /**
982 * Get issuer name as X500Principal. Overrides implementation in
983 * X509Certificate with a slightly more efficient version that is
984 * also aware of X509CertImpl mutability.
985 */
986 public X500Principal getIssuerX500Principal() {
987 if (info == null) {
988 return null;
989 }
990 try {
991 X500Principal issuer = (X500Principal)info.get(
992 X509CertInfo.ISSUER + DOT +
993 "x500principal");
994 return issuer;
995 } catch (Exception e) {
996 return null;
997 }
998 }
999
1000 /**
1001 * Gets the notBefore date from the validity period of the certificate.
1002 *
1003 * @return the start date of the validity period.
1004 */
1005 public Date getNotBefore() {
1006 if (info == null)
1007 return null;
1008 try {
1009 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
1010 CertificateValidity.NOT_BEFORE);
1011 return d;
1012 } catch (Exception e) {
1013 return null;
1014 }
1015 }
1016
1017 /**
1018 * Gets the notAfter date from the validity period of the certificate.
1019 *
1020 * @return the end date of the validity period.
1021 */
1022 public Date getNotAfter() {
1023 if (info == null)
1024 return null;
1025 try {
1026 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
1027 CertificateValidity.NOT_AFTER);
1028 return d;
1029 } catch (Exception e) {
1030 return null;
1031 }
1032 }
1033
1034 /**
1035 * Gets the DER encoded certificate informations, the
1036 * <code>tbsCertificate</code> from this certificate.
1037 * This can be used to verify the signature independently.
1038 *
1039 * @return the DER encoded certificate information.
1040 * @exception CertificateEncodingException if an encoding error occurs.
1041 */
1042 public byte[] getTBSCertificate() throws CertificateEncodingException {
1043 if (info != null) {
1044 return info.getEncodedInfo();
1045 } else
1046 throw new CertificateEncodingException("Uninitialized certificate");
1047 }
1048
1049 /**
1050 * Gets the raw Signature bits from the certificate.
1051 *
1052 * @return the signature.
1053 */
1054 public byte[] getSignature() {
1055 if (signature == null)
1056 return null;
1057 return signature.clone();
1058 }
1059
1060 /**
1061 * Gets the signature algorithm name for the certificate
1062 * signature algorithm.
1063 * For example, the string "SHA-1/DSA" or "DSS".
1064 *
1065 * @return the signature algorithm name.
1066 */
1067 public String getSigAlgName() {
1068 if (algId == null)
1069 return null;
1070 return (algId.getName());
1071 }
1072
1073 /**
1074 * Gets the signature algorithm OID string from the certificate.
1075 * For example, the string "1.2.840.10040.4.3"
1076 *
1077 * @return the signature algorithm oid string.
1078 */
1079 public String getSigAlgOID() {
1080 if (algId == null)
1081 return null;
1082 ObjectIdentifier oid = algId.getOID();
1083 return (oid.toString());
1084 }
1085
1086 /**
1087 * Gets the DER encoded signature algorithm parameters from this
1088 * certificate's signature algorithm.
1089 *
1090 * @return the DER encoded signature algorithm parameters, or
1091 * null if no parameters are present.
1092 */
1093 public byte[] getSigAlgParams() {
1094 if (algId == null)
1095 return null;
1096 try {
1097 return algId.getEncodedParams();
1098 } catch (IOException e) {
1099 return null;
1100 }
1101 }
1102
1103 /**
1104 * Gets the Issuer Unique Identity from the certificate.
1105 *
1106 * @return the Issuer Unique Identity.
1107 */
1108 public boolean[] getIssuerUniqueID() {
1109 if (info == null)
1110 return null;
1111 try {
1112 UniqueIdentity id = (UniqueIdentity)info.get(
1113 X509CertInfo.ISSUER_ID);
1114 if (id == null)
1115 return null;
1116 else
1117 return (id.getId());
1118 } catch (Exception e) {
1119 return null;
1120 }
1121 }
1122
1123 /**
1124 * Gets the Subject Unique Identity from the certificate.
1125 *
1126 * @return the Subject Unique Identity.
1127 */
1128 public boolean[] getSubjectUniqueID() {
1129 if (info == null)
1130 return null;
1131 try {
1132 UniqueIdentity id = (UniqueIdentity)info.get(
1133 X509CertInfo.SUBJECT_ID);
1134 if (id == null)
1135 return null;
1136 else
1137 return (id.getId());
1138 } catch (Exception e) {
1139 return null;
1140 }
1141 }
1142
1143 public KeyIdentifier getAuthKeyId() {
1144 AuthorityKeyIdentifierExtension aki
1145 = getAuthorityKeyIdentifierExtension();
1146 if (aki != null) {
1147 try {
1148 return (KeyIdentifier)aki.get(
1149 AuthorityKeyIdentifierExtension.KEY_ID);
1150 } catch (IOException ioe) {} // not possible
1151 }
1152 return null;
1153 }
1154
1155 /**
1156 * Returns the subject's key identifier, or null
1157 */
1158 public KeyIdentifier getSubjectKeyId() {
1159 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension();
1160 if (ski != null) {
1161 try {
1162 return ski.get(SubjectKeyIdentifierExtension.KEY_ID);
1163 } catch (IOException ioe) {} // not possible
1164 }
1165 return null;
1166 }
1167
1168 /**
1169 * Get AuthorityKeyIdentifier extension
1170 * @return AuthorityKeyIdentifier object or null (if no such object
1171 * in certificate)
1172 */
1173 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
1174 {
1175 return (AuthorityKeyIdentifierExtension)
1176 getExtension(PKIXExtensions.AuthorityKey_Id);
1177 }
1178
1179 /**
1180 * Get BasicConstraints extension
1181 * @return BasicConstraints object or null (if no such object in
1182 * certificate)
1183 */
1184 public BasicConstraintsExtension getBasicConstraintsExtension() {
1185 return (BasicConstraintsExtension)
1186 getExtension(PKIXExtensions.BasicConstraints_Id);
1187 }
1188
1189 /**
1190 * Get CertificatePoliciesExtension
1191 * @return CertificatePoliciesExtension or null (if no such object in
1192 * certificate)
1193 */
1194 public CertificatePoliciesExtension getCertificatePoliciesExtension() {
1195 return (CertificatePoliciesExtension)
1196 getExtension(PKIXExtensions.CertificatePolicies_Id);
1197 }
1198
1199 /**
1200 * Get ExtendedKeyUsage extension
1201 * @return ExtendedKeyUsage extension object or null (if no such object
1202 * in certificate)
1203 */
1204 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
1205 return (ExtendedKeyUsageExtension)
1206 getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
1207 }
1208
1209 /**
1210 * Get IssuerAlternativeName extension
1211 * @return IssuerAlternativeName object or null (if no such object in
1212 * certificate)
1213 */
1214 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
1215 return (IssuerAlternativeNameExtension)
1216 getExtension(PKIXExtensions.IssuerAlternativeName_Id);
1217 }
1218
1219 /**
1220 * Get NameConstraints extension
1221 * @return NameConstraints object or null (if no such object in certificate)
1222 */
1223 public NameConstraintsExtension getNameConstraintsExtension() {
1224 return (NameConstraintsExtension)
1225 getExtension(PKIXExtensions.NameConstraints_Id);
1226 }
1227
1228 /**
1229 * Get PolicyConstraints extension
1230 * @return PolicyConstraints object or null (if no such object in
1231 * certificate)
1232 */
1233 public PolicyConstraintsExtension getPolicyConstraintsExtension() {
1234 return (PolicyConstraintsExtension)
1235 getExtension(PKIXExtensions.PolicyConstraints_Id);
1236 }
1237
1238 /**
1239 * Get PolicyMappingsExtension extension
1240 * @return PolicyMappingsExtension object or null (if no such object
1241 * in certificate)
1242 */
1243 public PolicyMappingsExtension getPolicyMappingsExtension() {
1244 return (PolicyMappingsExtension)
1245 getExtension(PKIXExtensions.PolicyMappings_Id);
1246 }
1247
1248 /**
1249 * Get PrivateKeyUsage extension
1250 * @return PrivateKeyUsage object or null (if no such object in certificate)
1251 */
1252 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
1253 return (PrivateKeyUsageExtension)
1254 getExtension(PKIXExtensions.PrivateKeyUsage_Id);
1255 }
1256
1257 /**
1258 * Get SubjectAlternativeName extension
1259 * @return SubjectAlternativeName object or null (if no such object in
1260 * certificate)
1261 */
1262 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
1263 {
1264 return (SubjectAlternativeNameExtension)
1265 getExtension(PKIXExtensions.SubjectAlternativeName_Id);
1266 }
1267
1268 /**
1269 * Get SubjectKeyIdentifier extension
1270 * @return SubjectKeyIdentifier object or null (if no such object in
1271 * certificate)
1272 */
1273 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
1274 return (SubjectKeyIdentifierExtension)
1275 getExtension(PKIXExtensions.SubjectKey_Id);
1276 }
1277
1278 /**
1279 * Get CRLDistributionPoints extension
1280 * @return CRLDistributionPoints object or null (if no such object in
1281 * certificate)
1282 */
1283 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
1284 return (CRLDistributionPointsExtension)
1285 getExtension(PKIXExtensions.CRLDistributionPoints_Id);
1286 }
1287
1288 /**
1289 * Return true if a critical extension is found that is
1290 * not supported, otherwise return false.
1291 */
1292 public boolean hasUnsupportedCriticalExtension() {
1293 if (info == null)
1294 return false;
1295 try {
1296 CertificateExtensions exts = (CertificateExtensions)info.get(
1297 CertificateExtensions.NAME);
1298 if (exts == null)
1299 return false;
1300 return exts.hasUnsupportedCriticalExtension();
1301 } catch (Exception e) {
1302 return false;
1303 }
1304 }
1305
1306 /**
1307 * Gets a Set of the extension(s) marked CRITICAL in the
1308 * certificate. In the returned set, each extension is
1309 * represented by its OID string.
1310 *
1311 * @return a set of the extension oid strings in the
1312 * certificate that are marked critical.
1313 */
1314 public Set<String> getCriticalExtensionOIDs() {
1315 if (info == null) {
1316 return null;
1317 }
1318 try {
1319 CertificateExtensions exts = (CertificateExtensions)info.get(
1320 CertificateExtensions.NAME);
1321 if (exts == null) {
1322 return null;
1323 }
1324 Set<String> extSet = new TreeSet<>();
1325 for (Extension ex : exts.getAllExtensions()) {
1326 if (ex.isCritical()) {
1327 extSet.add(ex.getExtensionId().toString());
1328 }
1329 }
1330 return extSet;
1331 } catch (Exception e) {
1332 return null;
1333 }
1334 }
1335
1336 /**
1337 * Gets a Set of the extension(s) marked NON-CRITICAL in the
1338 * certificate. In the returned set, each extension is
1339 * represented by its OID string.
1340 *
1341 * @return a set of the extension oid strings in the
1342 * certificate that are NOT marked critical.
1343 */
1344 public Set<String> getNonCriticalExtensionOIDs() {
1345 if (info == null) {
1346 return null;
1347 }
1348 try {
1349 CertificateExtensions exts = (CertificateExtensions)info.get(
1350 CertificateExtensions.NAME);
1351 if (exts == null) {
1352 return null;
1353 }
1354 Set<String> extSet = new TreeSet<>();
1355 for (Extension ex : exts.getAllExtensions()) {
1356 if (!ex.isCritical()) {
1357 extSet.add(ex.getExtensionId().toString());
1358 }
1359 }
1360 extSet.addAll(exts.getUnparseableExtensions().keySet());
1361 return extSet;
1362 } catch (Exception e) {
1363 return null;
1364 }
1365 }
1366
1367 /**
1368 * Gets the extension identified by the given ObjectIdentifier
1369 *
1370 * @param oid the Object Identifier value for the extension.
1371 * @return Extension or null if certificate does not contain this
1372 * extension
1373 */
1374 public Extension getExtension(ObjectIdentifier oid) {
1375 if (info == null) {
1376 return null;
1377 }
1378 try {
1379 CertificateExtensions extensions;
1380 try {
1381 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1382 } catch (CertificateException ce) {
1383 return null;
1384 }
1385 if (extensions == null) {
1386 return null;
1387 } else {
1388 Extension ex = extensions.getExtension(oid.toString());
1389 if (ex != null) {
1390 return ex;
1391 }
1392 for (Extension ex2: extensions.getAllExtensions()) {
1393 if (ex2.getExtensionId().equals(oid)) {
1394 //XXXX May want to consider cloning this
1395 return ex2;
1396 }
1397 }
1398 /* no such extension in this certificate */
1399 return null;
1400 }
1401 } catch (IOException ioe) {
1402 return null;
1403 }
1404 }
1405
1406 public Extension getUnparseableExtension(ObjectIdentifier oid) {
1407 if (info == null) {
1408 return null;
1409 }
1410 try {
1411 CertificateExtensions extensions;
1412 try {
1413 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1414 } catch (CertificateException ce) {
1415 return null;
1416 }
1417 if (extensions == null) {
1418 return null;
1419 } else {
1420 return extensions.getUnparseableExtensions().get(oid.toString());
1421 }
1422 } catch (IOException ioe) {
1423 return null;
1424 }
1425 }
1426
1427 /**
1428 * Gets the DER encoded extension identified by the given
1429 * oid String.
1430 *
1431 * @param oid the Object Identifier value for the extension.
1432 */
1433 public byte[] getExtensionValue(String oid) {
1434 try {
1435 ObjectIdentifier findOID = new ObjectIdentifier(oid);
1436 String extAlias = OIDMap.getName(findOID);
1437 Extension certExt = null;
1438 CertificateExtensions exts = (CertificateExtensions)info.get(
1439 CertificateExtensions.NAME);
1440
1441 if (extAlias == null) { // may be unknown
1442 // get the extensions, search thru' for this oid
1443 if (exts == null) {
1444 return null;
1445 }
1446
1447 for (Extension ex : exts.getAllExtensions()) {
1448 ObjectIdentifier inCertOID = ex.getExtensionId();
1449 if (inCertOID.equals(findOID)) {
1450 certExt = ex;
1451 break;
1452 }
1453 }
1454 } else { // there's sub-class that can handle this extension
1455 try {
1456 certExt = (Extension)this.get(extAlias);
1457 } catch (CertificateException e) {
1458 // get() throws an Exception instead of returning null, ignore
1459 }
1460 }
1461 if (certExt == null) {
1462 if (exts != null) {
1463 certExt = exts.getUnparseableExtensions().get(oid);
1464 }
1465 if (certExt == null) {
1466 return null;
1467 }
1468 }
1469 byte[] extData = certExt.getExtensionValue();
1470 if (extData == null) {
1471 return null;
1472 }
1473 DerOutputStream out = new DerOutputStream();
1474 out.putOctetString(extData);
1475 return out.toByteArray();
1476 } catch (Exception e) {
1477 return null;
1478 }
1479 }
1480
1481 /**
1482 * Get a boolean array representing the bits of the KeyUsage extension,
1483 * (oid = 2.5.29.15).
1484 * @return the bit values of this extension as an array of booleans.
1485 */
1486 public boolean[] getKeyUsage() {
1487 try {
1488 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
1489 if (extAlias == null)
1490 return null;
1491
1492 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
1493 if (certExt == null)
1494 return null;
1495
1496 boolean[] ret = certExt.getBits();
1497 if (ret.length < NUM_STANDARD_KEY_USAGE) {
1498 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
1499 System.arraycopy(ret, 0, usageBits, 0, ret.length);
1500 ret = usageBits;
1501 }
1502 return ret;
1503 } catch (Exception e) {
1504 return null;
1505 }
1506 }
1507
1508 /**
1509 * This method are the overridden implementation of
1510 * getExtendedKeyUsage method in X509Certificate in the Sun
1511 * provider. It is better performance-wise since it returns cached
1512 * values.
1513 */
1514 public synchronized List<String> getExtendedKeyUsage()
1515 throws CertificateParsingException {
1516 if (readOnly && extKeyUsage != null) {
1517 return extKeyUsage;
1518 } else {
1519 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
1520 if (ext == null) {
1521 return null;
1522 }
1523 extKeyUsage =
1524 Collections.unmodifiableList(ext.getExtendedKeyUsage());
1525 return extKeyUsage;
1526 }
1527 }
1528
1529 /**
1530 * This static method is the default implementation of the
1531 * getExtendedKeyUsage method in X509Certificate. A
1532 * X509Certificate provider generally should overwrite this to
1533 * provide among other things caching for better performance.
1534 */
1535 public static List<String> getExtendedKeyUsage(X509Certificate cert)
1536 throws CertificateParsingException {
1537 try {
1538 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID);
1539 if (ext == null)
1540 return null;
1541 DerValue val = new DerValue(ext);
1542 byte[] data = val.getOctetString();
1543
1544 ExtendedKeyUsageExtension ekuExt =
1545 new ExtendedKeyUsageExtension(Boolean.FALSE, data);
1546 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
1547 } catch (IOException ioe) {
1548 throw new CertificateParsingException(ioe);
1549 }
1550 }
1551
1552 /**
1553 * Get the certificate constraints path length from
1554 * the critical BasicConstraints extension, (oid = 2.5.29.19).
1555 * @return the length of the constraint.
1556 */
1557 public int getBasicConstraints() {
1558 try {
1559 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
1560 if (extAlias == null)
1561 return -1;
1562 BasicConstraintsExtension certExt =
1563 (BasicConstraintsExtension)this.get(extAlias);
1564 if (certExt == null)
1565 return -1;
1566
1567 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
1568 ).booleanValue() == true)
1569 return ((Integer)certExt.get(
1570 BasicConstraintsExtension.PATH_LEN)).intValue();
1571 else
1572 return -1;
1573 } catch (Exception e) {
1574 return -1;
1575 }
1576 }
1577
1578 /**
1579 * Converts a GeneralNames structure into an immutable Collection of
1580 * alternative names (subject or issuer) in the form required by
1581 * {@link #getSubjectAlternativeNames} or
1582 * {@link #getIssuerAlternativeNames}.
1583 *
1584 * @param names the GeneralNames to be converted
1585 * @return an immutable Collection of alternative names
1586 */
1587 private static Collection<List<?>> makeAltNames(GeneralNames names) {
1588 if (names.isEmpty()) {
1589 return Collections.<List<?>>emptySet();
1590 }
1591 List<List<?>> newNames = new ArrayList<>();
1592 for (GeneralName gname : names.names()) {
1593 GeneralNameInterface name = gname.getName();
1594 List<Object> nameEntry = new ArrayList<>(2);
1595 nameEntry.add(Integer.valueOf(name.getType()));
1596 switch (name.getType()) {
1597 case GeneralNameInterface.NAME_RFC822:
1598 nameEntry.add(((RFC822Name) name).getName());
1599 break;
1600 case GeneralNameInterface.NAME_DNS:
1601 nameEntry.add(((DNSName) name).getName());
1602 break;
1603 case GeneralNameInterface.NAME_DIRECTORY:
1604 nameEntry.add(((X500Name) name).getRFC2253Name());
1605 break;
1606 case GeneralNameInterface.NAME_URI:
1607 nameEntry.add(((URIName) name).getName());
1608 break;
1609 case GeneralNameInterface.NAME_IP:
1610 try {
1611 nameEntry.add(((IPAddressName) name).getName());
1612 } catch (IOException ioe) {
1613 // IPAddressName in cert is bogus
1614 throw new RuntimeException("IPAddress cannot be parsed",
1615 ioe);
1616 }
1617 break;
1618 case GeneralNameInterface.NAME_OID:
1619 nameEntry.add(((OIDName) name).getOID().toString());
1620 break;
1621 default:
1622 // add DER encoded form
1623 DerOutputStream derOut = new DerOutputStream();
1624 try {
1625 name.encode(derOut);
1626 } catch (IOException ioe) {
1627 // should not occur since name has already been decoded
1628 // from cert (this would indicate a bug in our code)
1629 throw new RuntimeException("name cannot be encoded", ioe);
1630 }
1631 nameEntry.add(derOut.toByteArray());
1632 break;
1633 }
1634 newNames.add(Collections.unmodifiableList(nameEntry));
1635 }
1636 return Collections.unmodifiableCollection(newNames);
1637 }
1638
1639 /**
1640 * Checks a Collection of altNames and clones any name entries of type
1641 * byte [].
1642 */ // only partially generified due to javac bug
1643 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
1644 boolean mustClone = false;
1645 for (List<?> nameEntry : altNames) {
1646 if (nameEntry.get(1) instanceof byte[]) {
1647 // must clone names
1648 mustClone = true;
1649 }
1650 }
1651 if (mustClone) {
1652 List<List<?>> namesCopy = new ArrayList<>();
1653 for (List<?> nameEntry : altNames) {
1654 Object nameObject = nameEntry.get(1);
1655 if (nameObject instanceof byte[]) {
1656 List<Object> nameEntryCopy =
1657 new ArrayList<>(nameEntry);
1658 nameEntryCopy.set(1, ((byte[])nameObject).clone());
1659 namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
1660 } else {
1661 namesCopy.add(nameEntry);
1662 }
1663 }
1664 return Collections.unmodifiableCollection(namesCopy);
1665 } else {
1666 return altNames;
1667 }
1668 }
1669
1670 /**
1671 * This method are the overridden implementation of
1672 * getSubjectAlternativeNames method in X509Certificate in the Sun
1673 * provider. It is better performance-wise since it returns cached
1674 * values.
1675 */
1676 public synchronized Collection<List<?>> getSubjectAlternativeNames()
1677 throws CertificateParsingException {
1678 // return cached value if we can
1679 if (readOnly && subjectAlternativeNames != null) {
1680 return cloneAltNames(subjectAlternativeNames);
1681 }
1682 SubjectAlternativeNameExtension subjectAltNameExt =
1683 getSubjectAlternativeNameExtension();
1684 if (subjectAltNameExt == null) {
1685 return null;
1686 }
1687 GeneralNames names;
1688 try {
1689 names = subjectAltNameExt.get(
1690 SubjectAlternativeNameExtension.SUBJECT_NAME);
1691 } catch (IOException ioe) {
1692 // should not occur
1693 return Collections.<List<?>>emptySet();
1694 }
1695 subjectAlternativeNames = makeAltNames(names);
1696 return subjectAlternativeNames;
1697 }
1698
1699 /**
1700 * This static method is the default implementation of the
1701 * getSubjectAlternaitveNames method in X509Certificate. A
1702 * X509Certificate provider generally should overwrite this to
1703 * provide among other things caching for better performance.
1704 */
1705 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
1706 throws CertificateParsingException {
1707 try {
1708 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID);
1709 if (ext == null) {
1710 return null;
1711 }
1712 DerValue val = new DerValue(ext);
1713 byte[] data = val.getOctetString();
1714
1715 SubjectAlternativeNameExtension subjectAltNameExt =
1716 new SubjectAlternativeNameExtension(Boolean.FALSE,
1717 data);
1718
1719 GeneralNames names;
1720 try {
1721 names = subjectAltNameExt.get(
1722 SubjectAlternativeNameExtension.SUBJECT_NAME);
1723 } catch (IOException ioe) {
1724 // should not occur
1725 return Collections.<List<?>>emptySet();
1726 }
1727 return makeAltNames(names);
1728 } catch (IOException ioe) {
1729 throw new CertificateParsingException(ioe);
1730 }
1731 }
1732
1733 /**
1734 * This method are the overridden implementation of
1735 * getIssuerAlternativeNames method in X509Certificate in the Sun
1736 * provider. It is better performance-wise since it returns cached
1737 * values.
1738 */
1739 public synchronized Collection<List<?>> getIssuerAlternativeNames()
1740 throws CertificateParsingException {
1741 // return cached value if we can
1742 if (readOnly && issuerAlternativeNames != null) {
1743 return cloneAltNames(issuerAlternativeNames);
1744 }
1745 IssuerAlternativeNameExtension issuerAltNameExt =
1746 getIssuerAlternativeNameExtension();
1747 if (issuerAltNameExt == null) {
1748 return null;
1749 }
1750 GeneralNames names;
1751 try {
1752 names = issuerAltNameExt.get(
1753 IssuerAlternativeNameExtension.ISSUER_NAME);
1754 } catch (IOException ioe) {
1755 // should not occur
1756 return Collections.<List<?>>emptySet();
1757 }
1758 issuerAlternativeNames = makeAltNames(names);
1759 return issuerAlternativeNames;
1760 }
1761
1762 /**
1763 * This static method is the default implementation of the
1764 * getIssuerAlternaitveNames method in X509Certificate. A
1765 * X509Certificate provider generally should overwrite this to
1766 * provide among other things caching for better performance.
1767 */
1768 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
1769 throws CertificateParsingException {
1770 try {
1771 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID);
1772 if (ext == null) {
1773 return null;
1774 }
1775
1776 DerValue val = new DerValue(ext);
1777 byte[] data = val.getOctetString();
1778
1779 IssuerAlternativeNameExtension issuerAltNameExt =
1780 new IssuerAlternativeNameExtension(Boolean.FALSE,
1781 data);
1782 GeneralNames names;
1783 try {
1784 names = issuerAltNameExt.get(
1785 IssuerAlternativeNameExtension.ISSUER_NAME);
1786 } catch (IOException ioe) {
1787 // should not occur
1788 return Collections.<List<?>>emptySet();
1789 }
1790 return makeAltNames(names);
1791 } catch (IOException ioe) {
1792 throw new CertificateParsingException(ioe);
1793 }
1794 }
1795
1796 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
1797 return (AuthorityInfoAccessExtension)
1798 getExtension(PKIXExtensions.AuthInfoAccess_Id);
1799 }
1800
1801 /************************************************************/
1802
1803 /*
1804 * Cert is a SIGNED ASN.1 macro, a three elment sequence:
1805 *
1806 * - Data to be signed (ToBeSigned) -- the "raw" cert
1807 * - Signature algorithm (SigAlgId)
1808 * - The signature bits
1809 *
1810 * This routine unmarshals the certificate, saving the signature
1811 * parts away for later verification.
1812 */
1813 private void parse(DerValue val)
1814 throws CertificateException, IOException {
1815 // check if can over write the certificate
1816 if (readOnly)
1817 throw new CertificateParsingException(
1818 "cannot over-write existing certificate");
1819
1820 if (val.data == null || val.tag != DerValue.tag_Sequence)
1821 throw new CertificateParsingException(
1822 "invalid DER-encoded certificate data");
1823
1824 signedCert = val.toByteArray();
1825 DerValue[] seq = new DerValue[3];
1826
1827 seq[0] = val.data.getDerValue();
1828 seq[1] = val.data.getDerValue();
1829 seq[2] = val.data.getDerValue();
1830
1831 if (val.data.available() != 0) {
1832 throw new CertificateParsingException("signed overrun, bytes = "
1833 + val.data.available());
1834 }
1835 if (seq[0].tag != DerValue.tag_Sequence) {
1836 throw new CertificateParsingException("signed fields invalid");
1837 }
1838
1839 algId = AlgorithmId.parse(seq[1]);
1840 signature = seq[2].getBitString();
1841
1842 if (seq[1].data.available() != 0) {
1843 throw new CertificateParsingException("algid field overrun");
1844 }
1845 if (seq[2].data.available() != 0)
1846 throw new CertificateParsingException("signed fields overrun");
1847
1848 // The CertificateInfo
1849 info = new X509CertInfo(seq[0]);
1850
1851 // the "inner" and "outer" signature algorithms must match
1852 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1853 CertificateAlgorithmId.NAME
1854 + DOT +
1855 CertificateAlgorithmId.ALGORITHM);
1856 if (! algId.equals(infoSigAlg))
1857 throw new CertificateException("Signature algorithm mismatch");
1858 readOnly = true;
1859 }
1860
1861 /**
1862 * Extract the subject or issuer X500Principal from an X509Certificate.
1863 * Parses the encoded form of the cert to preserve the principal's
1864 * ASN.1 encoding.
1865 */
1866 private static X500Principal getX500Principal(X509Certificate cert,
1867 boolean getIssuer) throws Exception {
1868 byte[] encoded = cert.getEncoded();
1869 DerInputStream derIn = new DerInputStream(encoded);
1870 DerValue tbsCert = derIn.getSequence(3)[0];
1871 DerInputStream tbsIn = tbsCert.data;
1872 DerValue tmp;
1873 tmp = tbsIn.getDerValue();
1874 // skip version number if present
1875 if (tmp.isContextSpecific((byte)0)) {
1876 tmp = tbsIn.getDerValue();
1877 }
1878 // tmp always contains serial number now
1879 tmp = tbsIn.getDerValue(); // skip signature
1880 tmp = tbsIn.getDerValue(); // issuer
1881 if (getIssuer == false) {
1882 tmp = tbsIn.getDerValue(); // skip validity
1883 tmp = tbsIn.getDerValue(); // subject
1884 }
1885 byte[] principalBytes = tmp.toByteArray();
1886 return new X500Principal(principalBytes);
1887 }
1888
1889 /**
1890 * Extract the subject X500Principal from an X509Certificate.
1891 * Called from java.security.cert.X509Certificate.getSubjectX500Principal().
1892 */
1893 public static X500Principal getSubjectX500Principal(X509Certificate cert) {
1894 try {
1895 return getX500Principal(cert, false);
1896 } catch (Exception e) {
1897 throw new RuntimeException("Could not parse subject", e);
1898 }
1899 }
1900
1901 /**
1902 * Extract the issuer X500Principal from an X509Certificate.
1903 * Called from java.security.cert.X509Certificate.getIssuerX500Principal().
1904 */
1905 public static X500Principal getIssuerX500Principal(X509Certificate cert) {
1906 try {
1907 return getX500Principal(cert, true);
1908 } catch (Exception e) {
1909 throw new RuntimeException("Could not parse issuer", e);
1910 }
1911 }
1912
1913 /**
1914 * Returned the encoding of the given certificate for internal use.
1915 * Callers must guarantee that they neither modify it nor expose it
1916 * to untrusted code. Uses getEncodedInternal() if the certificate
1917 * is instance of X509CertImpl, getEncoded() otherwise.
1918 */
1919 public static byte[] getEncodedInternal(Certificate cert)
1920 throws CertificateEncodingException {
1921 if (cert instanceof X509CertImpl) {
1922 return ((X509CertImpl)cert).getEncodedInternal();
1923 } else {
1924 return cert.getEncoded();
1925 }
1926 }
1927
1928 /**
1929 * Utility method to convert an arbitrary instance of X509Certificate
1930 * to a X509CertImpl. Does a cast if possible, otherwise reparses
1931 * the encoding.
1932 */
1933 public static X509CertImpl toImpl(X509Certificate cert)
1934 throws CertificateException {
1935 if (cert instanceof X509CertImpl) {
1936 return (X509CertImpl)cert;
1937 } else {
1938 return X509Factory.intern(cert);
1939 }
1940 }
1941
1942 /**
1943 * Utility method to test if a certificate is self-issued. This is
1944 * the case iff the subject and issuer X500Principals are equal.
1945 */
1946 public static boolean isSelfIssued(X509Certificate cert) {
1947 X500Principal subject = cert.getSubjectX500Principal();
1948 X500Principal issuer = cert.getIssuerX500Principal();
1949 return subject.equals(issuer);
1950 }
1951
1952 /**
1953 * Utility method to test if a certificate is self-signed. This is
1954 * the case iff the subject and issuer X500Principals are equal
1955 * AND the certificate's subject public key can be used to verify
1956 * the certificate. In case of exception, returns false.
1957 */
1958 public static boolean isSelfSigned(X509Certificate cert,
1959 String sigProvider) {
1960 if (isSelfIssued(cert)) {
1961 try {
1962 if (sigProvider == null) {
1963 cert.verify(cert.getPublicKey());
1964 } else {
1965 cert.verify(cert.getPublicKey(), sigProvider);
1966 }
1967 return true;
1968 } catch (Exception e) {
1969 // In case of exception, return false
1970 }
1971 }
1972 return false;
1973 }
1974
1975 private ConcurrentHashMap<String,String> fingerprints =
1976 new ConcurrentHashMap<>(2);
1977
1978 public String getFingerprint(String algorithm) {
1979 return fingerprints.computeIfAbsent(algorithm,
1980 x -> getFingerprint(x, this));
1981 }
1982
1983 /**
1984 * Gets the requested finger print of the certificate. The result
1985 * only contains 0-9 and A-F. No small case, no colon.
1986 */
1987 public static String getFingerprint(String algorithm,
1988 X509Certificate cert) {
1989 try {
1990 byte[] encCertInfo = cert.getEncoded();
1991 MessageDigest md = MessageDigest.getInstance(algorithm);
1992 byte[] digest = md.digest(encCertInfo);
1993 StringBuilder sb = new StringBuilder(digest.length * 2);
1994 for (int i = 0; i < digest.length; i++) {
1995 byte2hex(digest[i], sb);
1996 }
1997 return sb.toString();
1998 } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
1999 // ignored
2000 }
2001 return "";
2002 }
2003
2004 /**
2005 * Converts a byte to hex digit and writes to the supplied builder
2006 */
2007 private static void byte2hex(byte b, StringBuilder buf) {
2008 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
2009 '9', 'A', 'B', 'C', 'D', 'E', 'F' };
2010 int high = ((b & 0xf0) >> 4);
2011 int low = (b & 0x0f);
2012 buf.append(hexChars[high])
2013 .append(hexChars[low]);
2014 }
2015 }