1 /* 2 * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.BufferedReader; 29 import java.io.BufferedInputStream; 30 import java.io.ByteArrayOutputStream; 31 import java.io.IOException; 32 import java.io.InputStream; 33 import java.io.InputStreamReader; 34 import java.io.OutputStream; 35 import java.math.BigInteger; 36 import java.security.*; 37 import java.security.spec.AlgorithmParameterSpec; 38 import java.security.cert.*; 39 import java.security.cert.Certificate; 40 import java.util.*; 41 import java.util.concurrent.ConcurrentHashMap; 42 43 import javax.security.auth.x500.X500Principal; 44 45 import sun.security.util.*; 46 import sun.security.provider.X509Factory; 47 48 /** 49 * The X509CertImpl class represents an X.509 certificate. These certificates 50 * are widely used to support authentication and other functionality in 51 * Internet security systems. Common applications include Privacy Enhanced 52 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted 53 * software distribution, and Secure Electronic Transactions (SET). There 54 * is a commercial infrastructure ready to manage large scale deployments 55 * of X.509 identity certificates. 56 * 57 * <P>These certificates are managed and vouched for by <em>Certificate 58 * Authorities</em> (CAs). CAs are services which create certificates by 59 * placing data in the X.509 standard format and then digitally signing 60 * that data. Such signatures are quite difficult to forge. CAs act as 61 * trusted third parties, making introductions between agents who have no 62 * direct knowledge of each other. CA certificates are either signed by 63 * themselves, or by some other CA such as a "root" CA. 64 * 65 * <P> Standards relating to X.509 Public Key Infrastructure for the Internet 66 * can be referenced in RFC 5280. 67 * 68 * @author Dave Brownell 69 * @author Amit Kapoor 70 * @author Hemma Prafullchandra 71 * @see X509CertInfo 72 */ 73 public class X509CertImpl extends X509Certificate implements DerEncoder { 74 75 private static final long serialVersionUID = -3457612960190864406L; 76 77 private static final char DOT = '.'; 78 /** 79 * Public attribute names. 80 */ 81 public static final String NAME = "x509"; 82 public static final String INFO = X509CertInfo.NAME; 83 public static final String ALG_ID = "algorithm"; 84 public static final String SIGNATURE = "signature"; 85 public static final String SIGNED_CERT = "signed_cert"; 86 87 /** 88 * The following are defined for ease-of-use. These 89 * are the most frequently retrieved attributes. 90 */ 91 // x509.info.subject.dname 92 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT + 93 X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME; 94 // x509.info.issuer.dname 95 public static final String ISSUER_DN = NAME + DOT + INFO + DOT + 96 X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME; 97 // x509.info.serialNumber.number 98 public static final String SERIAL_ID = NAME + DOT + INFO + DOT + 99 X509CertInfo.SERIAL_NUMBER + DOT + 100 CertificateSerialNumber.NUMBER; 101 // x509.info.key.value 102 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT + 103 X509CertInfo.KEY + DOT + 104 CertificateX509Key.KEY; 105 106 // x509.info.version.value 107 public static final String VERSION = NAME + DOT + INFO + DOT + 108 X509CertInfo.VERSION + DOT + 109 CertificateVersion.VERSION; 110 111 // x509.algorithm 112 public static final String SIG_ALG = NAME + DOT + ALG_ID; 113 114 // x509.signature 115 public static final String SIG = NAME + DOT + SIGNATURE; 116 117 // when we sign and decode we set this to true 118 // this is our means to make certificates immutable 119 private boolean readOnly = false; 120 121 // Certificate data, and its envelope 122 private byte[] signedCert = null; 123 protected X509CertInfo info = null; 124 protected AlgorithmId algId = null; 125 protected byte[] signature = null; 126 127 // recognized extension OIDS 128 private static final String KEY_USAGE_OID = "2.5.29.15"; 129 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37"; 130 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19"; 131 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17"; 132 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18"; 133 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1"; 134 135 // number of standard key usage bits. 136 private static final int NUM_STANDARD_KEY_USAGE = 9; 137 138 // SubjectAlterntativeNames cache 139 private Collection<List<?>> subjectAlternativeNames; 140 141 // IssuerAlternativeNames cache 142 private Collection<List<?>> issuerAlternativeNames; 143 144 // ExtendedKeyUsage cache 145 private List<String> extKeyUsage; 146 147 // AuthorityInformationAccess cache 148 private Set<AccessDescription> authInfoAccess; 149 150 /** 151 * PublicKey that has previously been used to verify 152 * the signature of this certificate. Null if the certificate has not 153 * yet been verified. 154 */ 155 private PublicKey verifiedPublicKey; 156 /** 157 * If verifiedPublicKey is not null, name of the provider used to 158 * successfully verify the signature of this certificate, or the 159 * empty String if no provider was explicitly specified. 160 */ 161 private String verifiedProvider; 162 /** 163 * If verifiedPublicKey is not null, result of the verification using 164 * verifiedPublicKey and verifiedProvider. If true, verification was 165 * successful, if false, it failed. 166 */ 167 private boolean verificationResult; 168 169 /** 170 * Default constructor. 171 */ 172 public X509CertImpl() { } 173 174 /** 175 * Unmarshals a certificate from its encoded form, parsing the 176 * encoded bytes. This form of constructor is used by agents which 177 * need to examine and use certificate contents. That is, this is 178 * one of the more commonly used constructors. Note that the buffer 179 * must include only a certificate, and no "garbage" may be left at 180 * the end. If you need to ignore data at the end of a certificate, 181 * use another constructor. 182 * 183 * @param certData the encoded bytes, with no trailing padding. 184 * @exception CertificateException on parsing and initialization errors. 185 */ 186 public X509CertImpl(byte[] certData) throws CertificateException { 187 try { 188 parse(new DerValue(certData)); 189 } catch (IOException e) { 190 signedCert = null; 191 throw new CertificateException("Unable to initialize, " + e, e); 192 } 193 } 194 195 /** 196 * unmarshals an X.509 certificate from an input stream. If the 197 * certificate is RFC1421 hex-encoded, then it must begin with 198 * the line X509Factory.BEGIN_CERT and end with the line 199 * X509Factory.END_CERT. 200 * 201 * @param in an input stream holding at least one certificate that may 202 * be either DER-encoded or RFC1421 hex-encoded version of the 203 * DER-encoded certificate. 204 * @exception CertificateException on parsing and initialization errors. 205 */ 206 public X509CertImpl(InputStream in) throws CertificateException { 207 208 DerValue der = null; 209 210 BufferedInputStream inBuffered = new BufferedInputStream(in); 211 212 // First try reading stream as HEX-encoded DER-encoded bytes, 213 // since not mistakable for raw DER 214 try { 215 inBuffered.mark(Integer.MAX_VALUE); 216 der = readRFC1421Cert(inBuffered); 217 } catch (IOException ioe) { 218 try { 219 // Next, try reading stream as raw DER-encoded bytes 220 inBuffered.reset(); 221 der = new DerValue(inBuffered); 222 } catch (IOException ioe1) { 223 throw new CertificateException("Input stream must be " + 224 "either DER-encoded bytes " + 225 "or RFC1421 hex-encoded " + 226 "DER-encoded bytes: " + 227 ioe1.getMessage(), ioe1); 228 } 229 } 230 try { 231 parse(der); 232 } catch (IOException ioe) { 233 signedCert = null; 234 throw new CertificateException("Unable to parse DER value of " + 235 "certificate, " + ioe, ioe); 236 } 237 } 238 239 /** 240 * read input stream as HEX-encoded DER-encoded bytes 241 * 242 * @param in InputStream to read 243 * @return DerValue corresponding to decoded HEX-encoded bytes 244 * @throws IOException if stream can not be interpreted as RFC1421 245 * encoded bytes 246 */ 247 private DerValue readRFC1421Cert(InputStream in) throws IOException { 248 DerValue der = null; 249 String line = null; 250 BufferedReader certBufferedReader = 251 new BufferedReader(new InputStreamReader(in, "ASCII")); 252 try { 253 line = certBufferedReader.readLine(); 254 } catch (IOException ioe1) { 255 throw new IOException("Unable to read InputStream: " + 256 ioe1.getMessage()); 257 } 258 if (line.equals(X509Factory.BEGIN_CERT)) { 259 /* stream appears to be hex-encoded bytes */ 260 ByteArrayOutputStream decstream = new ByteArrayOutputStream(); 261 try { 262 while ((line = certBufferedReader.readLine()) != null) { 263 if (line.equals(X509Factory.END_CERT)) { 264 der = new DerValue(decstream.toByteArray()); 265 break; 266 } else { 267 decstream.write(Pem.decode(line)); 268 } 269 } 270 } catch (IOException ioe2) { 271 throw new IOException("Unable to read InputStream: " 272 + ioe2.getMessage()); 273 } 274 } else { 275 throw new IOException("InputStream is not RFC1421 hex-encoded " + 276 "DER bytes"); 277 } 278 return der; 279 } 280 281 /** 282 * Construct an initialized X509 Certificate. The certificate is stored 283 * in raw form and has to be signed to be useful. 284 * 285 * @param certInfo the X509CertificateInfo which the Certificate is to be 286 * created from. 287 */ 288 public X509CertImpl(X509CertInfo certInfo) { 289 this.info = certInfo; 290 } 291 292 /** 293 * Unmarshal a certificate from its encoded form, parsing a DER value. 294 * This form of constructor is used by agents which need to examine 295 * and use certificate contents. 296 * 297 * @param derVal the der value containing the encoded cert. 298 * @exception CertificateException on parsing and initialization errors. 299 */ 300 public X509CertImpl(DerValue derVal) throws CertificateException { 301 try { 302 parse(derVal); 303 } catch (IOException e) { 304 signedCert = null; 305 throw new CertificateException("Unable to initialize, " + e, e); 306 } 307 } 308 309 /** 310 * Appends the certificate to an output stream. 311 * 312 * @param out an input stream to which the certificate is appended. 313 * @exception CertificateEncodingException on encoding errors. 314 */ 315 public void encode(OutputStream out) 316 throws CertificateEncodingException { 317 if (signedCert == null) 318 throw new CertificateEncodingException( 319 "Null certificate to encode"); 320 try { 321 out.write(signedCert.clone()); 322 } catch (IOException e) { 323 throw new CertificateEncodingException(e.toString()); 324 } 325 } 326 327 /** 328 * DER encode this object onto an output stream. 329 * Implements the <code>DerEncoder</code> interface. 330 * 331 * @param out the output stream on which to write the DER encoding. 332 * 333 * @exception IOException on encoding error. 334 */ 335 public void derEncode(OutputStream out) throws IOException { 336 if (signedCert == null) 337 throw new IOException("Null certificate to encode"); 338 out.write(signedCert.clone()); 339 } 340 341 /** 342 * Returns the encoded form of this certificate. It is 343 * assumed that each certificate type would have only a single 344 * form of encoding; for example, X.509 certificates would 345 * be encoded as ASN.1 DER. 346 * 347 * @exception CertificateEncodingException if an encoding error occurs. 348 */ 349 public byte[] getEncoded() throws CertificateEncodingException { 350 return getEncodedInternal().clone(); 351 } 352 353 /** 354 * Returned the encoding as an uncloned byte array. Callers must 355 * guarantee that they neither modify it nor expose it to untrusted 356 * code. 357 */ 358 public byte[] getEncodedInternal() throws CertificateEncodingException { 359 if (signedCert == null) { 360 throw new CertificateEncodingException( 361 "Null certificate to encode"); 362 } 363 return signedCert; 364 } 365 366 /** 367 * Throws an exception if the certificate was not signed using the 368 * verification key provided. Successfully verifying a certificate 369 * does <em>not</em> indicate that one should trust the entity which 370 * it represents. 371 * 372 * @param key the public key used for verification. 373 * 374 * @exception InvalidKeyException on incorrect key. 375 * @exception NoSuchAlgorithmException on unsupported signature 376 * algorithms. 377 * @exception NoSuchProviderException if there's no default provider. 378 * @exception SignatureException on signature errors. 379 * @exception CertificateException on encoding errors. 380 */ 381 public void verify(PublicKey key) 382 throws CertificateException, NoSuchAlgorithmException, 383 InvalidKeyException, NoSuchProviderException, SignatureException { 384 verify(key, ""); 385 } 386 387 /** 388 * Throws an exception if the certificate was not signed using the 389 * verification key provided. Successfully verifying a certificate 390 * does <em>not</em> indicate that one should trust the entity which 391 * it represents. 392 * 393 * @param key the public key used for verification. 394 * @param sigProvider the name of the provider. 395 * 396 * @exception NoSuchAlgorithmException on unsupported signature 397 * algorithms. 398 * @exception InvalidKeyException on incorrect key. 399 * @exception NoSuchProviderException on incorrect provider. 400 * @exception SignatureException on signature errors. 401 * @exception CertificateException on encoding errors. 402 */ 403 public synchronized void verify(PublicKey key, String sigProvider) 404 throws CertificateException, NoSuchAlgorithmException, 405 InvalidKeyException, NoSuchProviderException, SignatureException { 406 if (sigProvider == null) { 407 sigProvider = ""; 408 } 409 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { 410 // this certificate has already been verified using 411 // this public key. Make sure providers match, too. 412 if (sigProvider.equals(verifiedProvider)) { 413 if (verificationResult) { 414 return; 415 } else { 416 throw new SignatureException("Signature does not match."); 417 } 418 } 419 } 420 if (signedCert == null) { 421 throw new CertificateEncodingException("Uninitialized certificate"); 422 } 423 // Verify the signature ... 424 Signature sigVerf = null; 425 String sigName = algId.getName(); 426 if (sigProvider.isEmpty()) { 427 sigVerf = Signature.getInstance(sigName); 428 } else { 429 sigVerf = Signature.getInstance(sigName, sigProvider); 430 } 431 432 try { 433 SignatureUtil.initVerifyWithParam(sigVerf, key, 434 SignatureUtil.getParamSpec(sigName, getSigAlgParams())); 435 } catch (ProviderException e) { 436 throw new CertificateException(e.getMessage(), e.getCause()); 437 } catch (InvalidAlgorithmParameterException e) { 438 throw new CertificateException(e); 439 } 440 441 byte[] rawCert = info.getEncodedInfo(); 442 sigVerf.update(rawCert, 0, rawCert.length); 443 444 // verify may throw SignatureException for invalid encodings, etc. 445 verificationResult = sigVerf.verify(signature); 446 verifiedPublicKey = key; 447 verifiedProvider = sigProvider; 448 449 if (verificationResult == false) { 450 throw new SignatureException("Signature does not match."); 451 } 452 } 453 454 /** 455 * Throws an exception if the certificate was not signed using the 456 * verification key provided. This method uses the signature verification 457 * engine supplied by the specified provider. Note that the specified 458 * Provider object does not have to be registered in the provider list. 459 * Successfully verifying a certificate does <em>not</em> indicate that one 460 * should trust the entity which it represents. 461 * 462 * @param key the public key used for verification. 463 * @param sigProvider the provider. 464 * 465 * @exception NoSuchAlgorithmException on unsupported signature 466 * algorithms. 467 * @exception InvalidKeyException on incorrect key. 468 * @exception SignatureException on signature errors. 469 * @exception CertificateException on encoding errors. 470 */ 471 public synchronized void verify(PublicKey key, Provider sigProvider) 472 throws CertificateException, NoSuchAlgorithmException, 473 InvalidKeyException, SignatureException { 474 if (signedCert == null) { 475 throw new CertificateEncodingException("Uninitialized certificate"); 476 } 477 // Verify the signature ... 478 Signature sigVerf = null; 479 String sigName = algId.getName(); 480 if (sigProvider == null) { 481 sigVerf = Signature.getInstance(sigName); 482 } else { 483 sigVerf = Signature.getInstance(sigName, sigProvider); 484 } 485 486 try { 487 SignatureUtil.initVerifyWithParam(sigVerf, key, 488 SignatureUtil.getParamSpec(sigName, getSigAlgParams())); 489 } catch (ProviderException e) { 490 throw new CertificateException(e.getMessage(), e.getCause()); 491 } catch (InvalidAlgorithmParameterException e) { 492 throw new CertificateException(e); 493 } 494 495 byte[] rawCert = info.getEncodedInfo(); 496 sigVerf.update(rawCert, 0, rawCert.length); 497 498 // verify may throw SignatureException for invalid encodings, etc. 499 verificationResult = sigVerf.verify(signature); 500 verifiedPublicKey = key; 501 502 if (verificationResult == false) { 503 throw new SignatureException("Signature does not match."); 504 } 505 } 506 507 /** 508 * Creates an X.509 certificate, and signs it using the given key 509 * (associating a signature algorithm and an X.500 name). 510 * This operation is used to implement the certificate generation 511 * functionality of a certificate authority. 512 * 513 * @param key the private key used for signing. 514 * @param algorithm the name of the signature algorithm used. 515 * 516 * @exception InvalidKeyException on incorrect key. 517 * @exception NoSuchAlgorithmException on unsupported signature 518 * algorithms. 519 * @exception NoSuchProviderException if there's no default provider. 520 * @exception SignatureException on signature errors. 521 * @exception CertificateException on encoding errors. 522 */ 523 public void sign(PrivateKey key, String algorithm) 524 throws CertificateException, NoSuchAlgorithmException, 525 InvalidKeyException, NoSuchProviderException, SignatureException { 526 sign(key, algorithm, null); 527 } 528 529 /** 530 * Creates an X.509 certificate, and signs it using the given key 531 * (associating a signature algorithm and an X.500 name). 532 * This operation is used to implement the certificate generation 533 * functionality of a certificate authority. 534 * 535 * @param key the private key used for signing. 536 * @param algorithm the name of the signature algorithm used. 537 * @param provider the name of the provider. 538 * 539 * @exception NoSuchAlgorithmException on unsupported signature 540 * algorithms. 541 * @exception InvalidKeyException on incorrect key. 542 * @exception NoSuchProviderException on incorrect provider. 543 * @exception SignatureException on signature errors. 544 * @exception CertificateException on encoding errors. 545 */ 546 public void sign(PrivateKey key, String algorithm, String provider) 547 throws CertificateException, NoSuchAlgorithmException, 548 InvalidKeyException, NoSuchProviderException, SignatureException { 549 try { 550 sign(key, null, algorithm, provider); 551 } catch (InvalidAlgorithmParameterException e) { 552 // should not happen; re-throw just in case 553 throw new SignatureException(e); 554 } 555 } 556 557 /** 558 * Creates an X.509 certificate, and signs it using the given key 559 * (associating a signature algorithm and an X.500 name), signature 560 * parameters, and security provider. If the given provider name 561 * is null or empty, the implementation look up will be based on 562 * provider configurations. 563 * This operation is used to implement the certificate generation 564 * functionality of a certificate authority. 565 * 566 * @param key the private key used for signing 567 * @param signingParams the parameters used for signing 568 * @param algorithm the name of the signature algorithm used 569 * @param provider the name of the provider, may be null 570 * 571 * @exception NoSuchAlgorithmException on unsupported signature 572 * algorithms 573 * @exception InvalidKeyException on incorrect key 574 * @exception InvalidAlgorithmParameterException on invalid signature 575 * parameters 576 * @exception NoSuchProviderException on incorrect provider 577 * @exception SignatureException on signature errors 578 * @exception CertificateException on encoding errors 579 */ 580 public void sign(PrivateKey key, AlgorithmParameterSpec signingParams, 581 String algorithm, String provider) 582 throws CertificateException, NoSuchAlgorithmException, 583 InvalidKeyException, InvalidAlgorithmParameterException, 584 NoSuchProviderException, SignatureException { 585 try { 586 if (readOnly) { 587 throw new CertificateEncodingException( 588 "cannot over-write existing certificate"); 589 } 590 Signature sigEngine = null; 591 if (provider == null || provider.isEmpty()) { 592 sigEngine = Signature.getInstance(algorithm); 593 } else { 594 sigEngine = Signature.getInstance(algorithm, provider); 595 } 596 597 SignatureUtil.initSignWithParam(sigEngine, key, signingParams, 598 null); 599 600 // in case the name is reset 601 if (signingParams != null) { 602 algId = AlgorithmId.get(sigEngine.getParameters()); 603 } else { 604 algId = AlgorithmId.get(algorithm); 605 } 606 DerOutputStream out = new DerOutputStream(); 607 DerOutputStream tmp = new DerOutputStream(); 608 609 // encode certificate info 610 info.encode(tmp); 611 byte[] rawCert = tmp.toByteArray(); 612 613 // encode algorithm identifier 614 algId.encode(tmp); 615 616 // Create and encode the signature itself. 617 sigEngine.update(rawCert, 0, rawCert.length); 618 signature = sigEngine.sign(); 619 tmp.putBitString(signature); 620 621 // Wrap the signed data in a SEQUENCE { data, algorithm, sig } 622 out.write(DerValue.tag_Sequence, tmp); 623 signedCert = out.toByteArray(); 624 readOnly = true; 625 626 } catch (IOException e) { 627 throw new CertificateEncodingException(e.toString()); 628 } 629 } 630 631 /** 632 * Checks that the certificate is currently valid, i.e. the current 633 * time is within the specified validity period. 634 * 635 * @exception CertificateExpiredException if the certificate has expired. 636 * @exception CertificateNotYetValidException if the certificate is not 637 * yet valid. 638 */ 639 public void checkValidity() 640 throws CertificateExpiredException, CertificateNotYetValidException { 641 Date date = new Date(); 642 checkValidity(date); 643 } 644 645 /** 646 * Checks that the specified date is within the certificate's 647 * validity period, or basically if the certificate would be 648 * valid at the specified date/time. 649 * 650 * @param date the Date to check against to see if this certificate 651 * is valid at that date/time. 652 * 653 * @exception CertificateExpiredException if the certificate has expired 654 * with respect to the <code>date</code> supplied. 655 * @exception CertificateNotYetValidException if the certificate is not 656 * yet valid with respect to the <code>date</code> supplied. 657 */ 658 public void checkValidity(Date date) 659 throws CertificateExpiredException, CertificateNotYetValidException { 660 661 CertificateValidity interval = null; 662 try { 663 interval = (CertificateValidity)info.get(CertificateValidity.NAME); 664 } catch (Exception e) { 665 throw new CertificateNotYetValidException("Incorrect validity period"); 666 } 667 if (interval == null) 668 throw new CertificateNotYetValidException("Null validity period"); 669 interval.valid(date); 670 } 671 672 /** 673 * Return the requested attribute from the certificate. 674 * 675 * Note that the X509CertInfo is not cloned for performance reasons. 676 * Callers must ensure that they do not modify it. All other 677 * attributes are cloned. 678 * 679 * @param name the name of the attribute. 680 * @exception CertificateParsingException on invalid attribute identifier. 681 */ 682 public Object get(String name) 683 throws CertificateParsingException { 684 X509AttributeName attr = new X509AttributeName(name); 685 String id = attr.getPrefix(); 686 if (!(id.equalsIgnoreCase(NAME))) { 687 throw new CertificateParsingException("Invalid root of " 688 + "attribute name, expected [" + NAME + 689 "], received " + "[" + id + "]"); 690 } 691 attr = new X509AttributeName(attr.getSuffix()); 692 id = attr.getPrefix(); 693 694 if (id.equalsIgnoreCase(INFO)) { 695 if (info == null) { 696 return null; 697 } 698 if (attr.getSuffix() != null) { 699 try { 700 return info.get(attr.getSuffix()); 701 } catch (IOException e) { 702 throw new CertificateParsingException(e.toString()); 703 } catch (CertificateException e) { 704 throw new CertificateParsingException(e.toString()); 705 } 706 } else { 707 return info; 708 } 709 } else if (id.equalsIgnoreCase(ALG_ID)) { 710 return(algId); 711 } else if (id.equalsIgnoreCase(SIGNATURE)) { 712 if (signature != null) 713 return signature.clone(); 714 else 715 return null; 716 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 717 if (signedCert != null) 718 return signedCert.clone(); 719 else 720 return null; 721 } else { 722 throw new CertificateParsingException("Attribute name not " 723 + "recognized or get() not allowed for the same: " + id); 724 } 725 } 726 727 /** 728 * Set the requested attribute in the certificate. 729 * 730 * @param name the name of the attribute. 731 * @param obj the value of the attribute. 732 * @exception CertificateException on invalid attribute identifier. 733 * @exception IOException on encoding error of attribute. 734 */ 735 public void set(String name, Object obj) 736 throws CertificateException, IOException { 737 // check if immutable 738 if (readOnly) 739 throw new CertificateException("cannot over-write existing" 740 + " certificate"); 741 742 X509AttributeName attr = new X509AttributeName(name); 743 String id = attr.getPrefix(); 744 if (!(id.equalsIgnoreCase(NAME))) { 745 throw new CertificateException("Invalid root of attribute name," 746 + " expected [" + NAME + "], received " + id); 747 } 748 attr = new X509AttributeName(attr.getSuffix()); 749 id = attr.getPrefix(); 750 751 if (id.equalsIgnoreCase(INFO)) { 752 if (attr.getSuffix() == null) { 753 if (!(obj instanceof X509CertInfo)) { 754 throw new CertificateException("Attribute value should" 755 + " be of type X509CertInfo."); 756 } 757 info = (X509CertInfo)obj; 758 signedCert = null; //reset this as certificate data has changed 759 } else { 760 info.set(attr.getSuffix(), obj); 761 signedCert = null; //reset this as certificate data has changed 762 } 763 } else { 764 throw new CertificateException("Attribute name not recognized or " + 765 "set() not allowed for the same: " + id); 766 } 767 } 768 769 /** 770 * Delete the requested attribute from the certificate. 771 * 772 * @param name the name of the attribute. 773 * @exception CertificateException on invalid attribute identifier. 774 * @exception IOException on other errors. 775 */ 776 public void delete(String name) 777 throws CertificateException, IOException { 778 // check if immutable 779 if (readOnly) 780 throw new CertificateException("cannot over-write existing" 781 + " certificate"); 782 783 X509AttributeName attr = new X509AttributeName(name); 784 String id = attr.getPrefix(); 785 if (!(id.equalsIgnoreCase(NAME))) { 786 throw new CertificateException("Invalid root of attribute name," 787 + " expected [" 788 + NAME + "], received " + id); 789 } 790 attr = new X509AttributeName(attr.getSuffix()); 791 id = attr.getPrefix(); 792 793 if (id.equalsIgnoreCase(INFO)) { 794 if (attr.getSuffix() != null) { 795 info = null; 796 } else { 797 info.delete(attr.getSuffix()); 798 } 799 } else if (id.equalsIgnoreCase(ALG_ID)) { 800 algId = null; 801 } else if (id.equalsIgnoreCase(SIGNATURE)) { 802 signature = null; 803 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 804 signedCert = null; 805 } else { 806 throw new CertificateException("Attribute name not recognized or " + 807 "delete() not allowed for the same: " + id); 808 } 809 } 810 811 /** 812 * Return an enumeration of names of attributes existing within this 813 * attribute. 814 */ 815 public Enumeration<String> getElements() { 816 AttributeNameEnumeration elements = new AttributeNameEnumeration(); 817 elements.addElement(NAME + DOT + INFO); 818 elements.addElement(NAME + DOT + ALG_ID); 819 elements.addElement(NAME + DOT + SIGNATURE); 820 elements.addElement(NAME + DOT + SIGNED_CERT); 821 822 return elements.elements(); 823 } 824 825 /** 826 * Return the name of this attribute. 827 */ 828 public String getName() { 829 return(NAME); 830 } 831 832 /** 833 * Returns a printable representation of the certificate. This does not 834 * contain all the information available to distinguish this from any 835 * other certificate. The certificate must be fully constructed 836 * before this function may be called. 837 */ 838 public String toString() { 839 if (info == null || algId == null || signature == null) 840 return ""; 841 842 HexDumpEncoder encoder = new HexDumpEncoder(); 843 return "[\n" + info + '\n' + 844 " Algorithm: [" + algId + "]\n" + 845 " Signature:\n" + encoder.encodeBuffer(signature) + "\n]"; 846 } 847 848 // the strongly typed gets, as per java.security.cert.X509Certificate 849 850 /** 851 * Gets the publickey from this certificate. 852 * 853 * @return the publickey. 854 */ 855 public PublicKey getPublicKey() { 856 if (info == null) 857 return null; 858 try { 859 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME 860 + DOT + CertificateX509Key.KEY); 861 return key; 862 } catch (Exception e) { 863 return null; 864 } 865 } 866 867 /** 868 * Gets the version number from the certificate. 869 * 870 * @return the version number, i.e. 1, 2 or 3. 871 */ 872 public int getVersion() { 873 if (info == null) 874 return -1; 875 try { 876 int vers = ((Integer)info.get(CertificateVersion.NAME 877 + DOT + CertificateVersion.VERSION)).intValue(); 878 return vers+1; 879 } catch (Exception e) { 880 return -1; 881 } 882 } 883 884 /** 885 * Gets the serial number from the certificate. 886 * 887 * @return the serial number. 888 */ 889 public BigInteger getSerialNumber() { 890 SerialNumber ser = getSerialNumberObject(); 891 892 return ser != null ? ser.getNumber() : null; 893 } 894 895 /** 896 * Gets the serial number from the certificate as 897 * a SerialNumber object. 898 * 899 * @return the serial number. 900 */ 901 public SerialNumber getSerialNumberObject() { 902 if (info == null) 903 return null; 904 try { 905 SerialNumber ser = (SerialNumber)info.get( 906 CertificateSerialNumber.NAME + DOT + 907 CertificateSerialNumber.NUMBER); 908 return ser; 909 } catch (Exception e) { 910 return null; 911 } 912 } 913 914 915 /** 916 * Gets the subject distinguished name from the certificate. 917 * 918 * @return the subject name. 919 */ 920 public Principal getSubjectDN() { 921 if (info == null) 922 return null; 923 try { 924 Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT + 925 X509CertInfo.DN_NAME); 926 return subject; 927 } catch (Exception e) { 928 return null; 929 } 930 } 931 932 /** 933 * Get subject name as X500Principal. Overrides implementation in 934 * X509Certificate with a slightly more efficient version that is 935 * also aware of X509CertImpl mutability. 936 */ 937 public X500Principal getSubjectX500Principal() { 938 if (info == null) { 939 return null; 940 } 941 try { 942 X500Principal subject = (X500Principal)info.get( 943 X509CertInfo.SUBJECT + DOT + 944 "x500principal"); 945 return subject; 946 } catch (Exception e) { 947 return null; 948 } 949 } 950 951 /** 952 * Gets the issuer distinguished name from the certificate. 953 * 954 * @return the issuer name. 955 */ 956 public Principal getIssuerDN() { 957 if (info == null) 958 return null; 959 try { 960 Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT + 961 X509CertInfo.DN_NAME); 962 return issuer; 963 } catch (Exception e) { 964 return null; 965 } 966 } 967 968 /** 969 * Get issuer name as X500Principal. Overrides implementation in 970 * X509Certificate with a slightly more efficient version that is 971 * also aware of X509CertImpl mutability. 972 */ 973 public X500Principal getIssuerX500Principal() { 974 if (info == null) { 975 return null; 976 } 977 try { 978 X500Principal issuer = (X500Principal)info.get( 979 X509CertInfo.ISSUER + DOT + 980 "x500principal"); 981 return issuer; 982 } catch (Exception e) { 983 return null; 984 } 985 } 986 987 /** 988 * Gets the notBefore date from the validity period of the certificate. 989 * 990 * @return the start date of the validity period. 991 */ 992 public Date getNotBefore() { 993 if (info == null) 994 return null; 995 try { 996 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 997 CertificateValidity.NOT_BEFORE); 998 return d; 999 } catch (Exception e) { 1000 return null; 1001 } 1002 } 1003 1004 /** 1005 * Gets the notAfter date from the validity period of the certificate. 1006 * 1007 * @return the end date of the validity period. 1008 */ 1009 public Date getNotAfter() { 1010 if (info == null) 1011 return null; 1012 try { 1013 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 1014 CertificateValidity.NOT_AFTER); 1015 return d; 1016 } catch (Exception e) { 1017 return null; 1018 } 1019 } 1020 1021 /** 1022 * Gets the DER encoded certificate informations, the 1023 * <code>tbsCertificate</code> from this certificate. 1024 * This can be used to verify the signature independently. 1025 * 1026 * @return the DER encoded certificate information. 1027 * @exception CertificateEncodingException if an encoding error occurs. 1028 */ 1029 public byte[] getTBSCertificate() throws CertificateEncodingException { 1030 if (info != null) { 1031 return info.getEncodedInfo(); 1032 } else 1033 throw new CertificateEncodingException("Uninitialized certificate"); 1034 } 1035 1036 /** 1037 * Gets the raw Signature bits from the certificate. 1038 * 1039 * @return the signature. 1040 */ 1041 public byte[] getSignature() { 1042 if (signature == null) 1043 return null; 1044 return signature.clone(); 1045 } 1046 1047 /** 1048 * Gets the signature algorithm name for the certificate 1049 * signature algorithm. 1050 * For example, the string "SHA-1/DSA" or "DSS". 1051 * 1052 * @return the signature algorithm name. 1053 */ 1054 public String getSigAlgName() { 1055 if (algId == null) 1056 return null; 1057 return (algId.getName()); 1058 } 1059 1060 /** 1061 * Gets the signature algorithm OID string from the certificate. 1062 * For example, the string "1.2.840.10040.4.3" 1063 * 1064 * @return the signature algorithm oid string. 1065 */ 1066 public String getSigAlgOID() { 1067 if (algId == null) 1068 return null; 1069 ObjectIdentifier oid = algId.getOID(); 1070 return (oid.toString()); 1071 } 1072 1073 /** 1074 * Gets the DER encoded signature algorithm parameters from this 1075 * certificate's signature algorithm. 1076 * 1077 * @return the DER encoded signature algorithm parameters, or 1078 * null if no parameters are present. 1079 */ 1080 public byte[] getSigAlgParams() { 1081 if (algId == null) 1082 return null; 1083 try { 1084 return algId.getEncodedParams(); 1085 } catch (IOException e) { 1086 return null; 1087 } 1088 } 1089 1090 /** 1091 * Gets the Issuer Unique Identity from the certificate. 1092 * 1093 * @return the Issuer Unique Identity. 1094 */ 1095 public boolean[] getIssuerUniqueID() { 1096 if (info == null) 1097 return null; 1098 try { 1099 UniqueIdentity id = (UniqueIdentity)info.get( 1100 X509CertInfo.ISSUER_ID); 1101 if (id == null) 1102 return null; 1103 else 1104 return (id.getId()); 1105 } catch (Exception e) { 1106 return null; 1107 } 1108 } 1109 1110 /** 1111 * Gets the Subject Unique Identity from the certificate. 1112 * 1113 * @return the Subject Unique Identity. 1114 */ 1115 public boolean[] getSubjectUniqueID() { 1116 if (info == null) 1117 return null; 1118 try { 1119 UniqueIdentity id = (UniqueIdentity)info.get( 1120 X509CertInfo.SUBJECT_ID); 1121 if (id == null) 1122 return null; 1123 else 1124 return (id.getId()); 1125 } catch (Exception e) { 1126 return null; 1127 } 1128 } 1129 1130 public KeyIdentifier getAuthKeyId() { 1131 AuthorityKeyIdentifierExtension aki 1132 = getAuthorityKeyIdentifierExtension(); 1133 if (aki != null) { 1134 try { 1135 return (KeyIdentifier)aki.get( 1136 AuthorityKeyIdentifierExtension.KEY_ID); 1137 } catch (IOException ioe) {} // not possible 1138 } 1139 return null; 1140 } 1141 1142 /** 1143 * Returns the subject's key identifier, or null 1144 */ 1145 public KeyIdentifier getSubjectKeyId() { 1146 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension(); 1147 if (ski != null) { 1148 try { 1149 return ski.get(SubjectKeyIdentifierExtension.KEY_ID); 1150 } catch (IOException ioe) {} // not possible 1151 } 1152 return null; 1153 } 1154 1155 /** 1156 * Get AuthorityKeyIdentifier extension 1157 * @return AuthorityKeyIdentifier object or null (if no such object 1158 * in certificate) 1159 */ 1160 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension() 1161 { 1162 return (AuthorityKeyIdentifierExtension) 1163 getExtension(PKIXExtensions.AuthorityKey_Id); 1164 } 1165 1166 /** 1167 * Get BasicConstraints extension 1168 * @return BasicConstraints object or null (if no such object in 1169 * certificate) 1170 */ 1171 public BasicConstraintsExtension getBasicConstraintsExtension() { 1172 return (BasicConstraintsExtension) 1173 getExtension(PKIXExtensions.BasicConstraints_Id); 1174 } 1175 1176 /** 1177 * Get CertificatePoliciesExtension 1178 * @return CertificatePoliciesExtension or null (if no such object in 1179 * certificate) 1180 */ 1181 public CertificatePoliciesExtension getCertificatePoliciesExtension() { 1182 return (CertificatePoliciesExtension) 1183 getExtension(PKIXExtensions.CertificatePolicies_Id); 1184 } 1185 1186 /** 1187 * Get ExtendedKeyUsage extension 1188 * @return ExtendedKeyUsage extension object or null (if no such object 1189 * in certificate) 1190 */ 1191 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() { 1192 return (ExtendedKeyUsageExtension) 1193 getExtension(PKIXExtensions.ExtendedKeyUsage_Id); 1194 } 1195 1196 /** 1197 * Get IssuerAlternativeName extension 1198 * @return IssuerAlternativeName object or null (if no such object in 1199 * certificate) 1200 */ 1201 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() { 1202 return (IssuerAlternativeNameExtension) 1203 getExtension(PKIXExtensions.IssuerAlternativeName_Id); 1204 } 1205 1206 /** 1207 * Get NameConstraints extension 1208 * @return NameConstraints object or null (if no such object in certificate) 1209 */ 1210 public NameConstraintsExtension getNameConstraintsExtension() { 1211 return (NameConstraintsExtension) 1212 getExtension(PKIXExtensions.NameConstraints_Id); 1213 } 1214 1215 /** 1216 * Get PolicyConstraints extension 1217 * @return PolicyConstraints object or null (if no such object in 1218 * certificate) 1219 */ 1220 public PolicyConstraintsExtension getPolicyConstraintsExtension() { 1221 return (PolicyConstraintsExtension) 1222 getExtension(PKIXExtensions.PolicyConstraints_Id); 1223 } 1224 1225 /** 1226 * Get PolicyMappingsExtension extension 1227 * @return PolicyMappingsExtension object or null (if no such object 1228 * in certificate) 1229 */ 1230 public PolicyMappingsExtension getPolicyMappingsExtension() { 1231 return (PolicyMappingsExtension) 1232 getExtension(PKIXExtensions.PolicyMappings_Id); 1233 } 1234 1235 /** 1236 * Get PrivateKeyUsage extension 1237 * @return PrivateKeyUsage object or null (if no such object in certificate) 1238 */ 1239 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() { 1240 return (PrivateKeyUsageExtension) 1241 getExtension(PKIXExtensions.PrivateKeyUsage_Id); 1242 } 1243 1244 /** 1245 * Get SubjectAlternativeName extension 1246 * @return SubjectAlternativeName object or null (if no such object in 1247 * certificate) 1248 */ 1249 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension() 1250 { 1251 return (SubjectAlternativeNameExtension) 1252 getExtension(PKIXExtensions.SubjectAlternativeName_Id); 1253 } 1254 1255 /** 1256 * Get SubjectKeyIdentifier extension 1257 * @return SubjectKeyIdentifier object or null (if no such object in 1258 * certificate) 1259 */ 1260 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() { 1261 return (SubjectKeyIdentifierExtension) 1262 getExtension(PKIXExtensions.SubjectKey_Id); 1263 } 1264 1265 /** 1266 * Get CRLDistributionPoints extension 1267 * @return CRLDistributionPoints object or null (if no such object in 1268 * certificate) 1269 */ 1270 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() { 1271 return (CRLDistributionPointsExtension) 1272 getExtension(PKIXExtensions.CRLDistributionPoints_Id); 1273 } 1274 1275 /** 1276 * Return true if a critical extension is found that is 1277 * not supported, otherwise return false. 1278 */ 1279 public boolean hasUnsupportedCriticalExtension() { 1280 if (info == null) 1281 return false; 1282 try { 1283 CertificateExtensions exts = (CertificateExtensions)info.get( 1284 CertificateExtensions.NAME); 1285 if (exts == null) 1286 return false; 1287 return exts.hasUnsupportedCriticalExtension(); 1288 } catch (Exception e) { 1289 return false; 1290 } 1291 } 1292 1293 /** 1294 * Gets a Set of the extension(s) marked CRITICAL in the 1295 * certificate. In the returned set, each extension is 1296 * represented by its OID string. 1297 * 1298 * @return a set of the extension oid strings in the 1299 * certificate that are marked critical. 1300 */ 1301 public Set<String> getCriticalExtensionOIDs() { 1302 if (info == null) { 1303 return null; 1304 } 1305 try { 1306 CertificateExtensions exts = (CertificateExtensions)info.get( 1307 CertificateExtensions.NAME); 1308 if (exts == null) { 1309 return null; 1310 } 1311 Set<String> extSet = new TreeSet<>(); 1312 for (Extension ex : exts.getAllExtensions()) { 1313 if (ex.isCritical()) { 1314 extSet.add(ex.getExtensionId().toString()); 1315 } 1316 } 1317 return extSet; 1318 } catch (Exception e) { 1319 return null; 1320 } 1321 } 1322 1323 /** 1324 * Gets a Set of the extension(s) marked NON-CRITICAL in the 1325 * certificate. In the returned set, each extension is 1326 * represented by its OID string. 1327 * 1328 * @return a set of the extension oid strings in the 1329 * certificate that are NOT marked critical. 1330 */ 1331 public Set<String> getNonCriticalExtensionOIDs() { 1332 if (info == null) { 1333 return null; 1334 } 1335 try { 1336 CertificateExtensions exts = (CertificateExtensions)info.get( 1337 CertificateExtensions.NAME); 1338 if (exts == null) { 1339 return null; 1340 } 1341 Set<String> extSet = new TreeSet<>(); 1342 for (Extension ex : exts.getAllExtensions()) { 1343 if (!ex.isCritical()) { 1344 extSet.add(ex.getExtensionId().toString()); 1345 } 1346 } 1347 extSet.addAll(exts.getUnparseableExtensions().keySet()); 1348 return extSet; 1349 } catch (Exception e) { 1350 return null; 1351 } 1352 } 1353 1354 /** 1355 * Gets the extension identified by the given ObjectIdentifier 1356 * 1357 * @param oid the Object Identifier value for the extension. 1358 * @return Extension or null if certificate does not contain this 1359 * extension 1360 */ 1361 public Extension getExtension(ObjectIdentifier oid) { 1362 if (info == null) { 1363 return null; 1364 } 1365 try { 1366 CertificateExtensions extensions; 1367 try { 1368 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1369 } catch (CertificateException ce) { 1370 return null; 1371 } 1372 if (extensions == null) { 1373 return null; 1374 } else { 1375 Extension ex = extensions.getExtension(oid.toString()); 1376 if (ex != null) { 1377 return ex; 1378 } 1379 for (Extension ex2: extensions.getAllExtensions()) { 1380 if (ex2.getExtensionId().equals(oid)) { 1381 //XXXX May want to consider cloning this 1382 return ex2; 1383 } 1384 } 1385 /* no such extension in this certificate */ 1386 return null; 1387 } 1388 } catch (IOException ioe) { 1389 return null; 1390 } 1391 } 1392 1393 public Extension getUnparseableExtension(ObjectIdentifier oid) { 1394 if (info == null) { 1395 return null; 1396 } 1397 try { 1398 CertificateExtensions extensions; 1399 try { 1400 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1401 } catch (CertificateException ce) { 1402 return null; 1403 } 1404 if (extensions == null) { 1405 return null; 1406 } else { 1407 return extensions.getUnparseableExtensions().get(oid.toString()); 1408 } 1409 } catch (IOException ioe) { 1410 return null; 1411 } 1412 } 1413 1414 /** 1415 * Gets the DER encoded extension identified by the given 1416 * oid String. 1417 * 1418 * @param oid the Object Identifier value for the extension. 1419 */ 1420 public byte[] getExtensionValue(String oid) { 1421 try { 1422 ObjectIdentifier findOID = new ObjectIdentifier(oid); 1423 String extAlias = OIDMap.getName(findOID); 1424 Extension certExt = null; 1425 CertificateExtensions exts = (CertificateExtensions)info.get( 1426 CertificateExtensions.NAME); 1427 1428 if (extAlias == null) { // may be unknown 1429 // get the extensions, search thru' for this oid 1430 if (exts == null) { 1431 return null; 1432 } 1433 1434 for (Extension ex : exts.getAllExtensions()) { 1435 ObjectIdentifier inCertOID = ex.getExtensionId(); 1436 if (inCertOID.equals(findOID)) { 1437 certExt = ex; 1438 break; 1439 } 1440 } 1441 } else { // there's sub-class that can handle this extension 1442 try { 1443 certExt = (Extension)this.get(extAlias); 1444 } catch (CertificateException e) { 1445 // get() throws an Exception instead of returning null, ignore 1446 } 1447 } 1448 if (certExt == null) { 1449 if (exts != null) { 1450 certExt = exts.getUnparseableExtensions().get(oid); 1451 } 1452 if (certExt == null) { 1453 return null; 1454 } 1455 } 1456 byte[] extData = certExt.getExtensionValue(); 1457 if (extData == null) { 1458 return null; 1459 } 1460 DerOutputStream out = new DerOutputStream(); 1461 out.putOctetString(extData); 1462 return out.toByteArray(); 1463 } catch (Exception e) { 1464 return null; 1465 } 1466 } 1467 1468 /** 1469 * Get a boolean array representing the bits of the KeyUsage extension, 1470 * (oid = 2.5.29.15). 1471 * @return the bit values of this extension as an array of booleans. 1472 */ 1473 public boolean[] getKeyUsage() { 1474 try { 1475 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id); 1476 if (extAlias == null) 1477 return null; 1478 1479 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias); 1480 if (certExt == null) 1481 return null; 1482 1483 boolean[] ret = certExt.getBits(); 1484 if (ret.length < NUM_STANDARD_KEY_USAGE) { 1485 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE]; 1486 System.arraycopy(ret, 0, usageBits, 0, ret.length); 1487 ret = usageBits; 1488 } 1489 return ret; 1490 } catch (Exception e) { 1491 return null; 1492 } 1493 } 1494 1495 /** 1496 * This method are the overridden implementation of 1497 * getExtendedKeyUsage method in X509Certificate in the Sun 1498 * provider. It is better performance-wise since it returns cached 1499 * values. 1500 */ 1501 public synchronized List<String> getExtendedKeyUsage() 1502 throws CertificateParsingException { 1503 if (readOnly && extKeyUsage != null) { 1504 return extKeyUsage; 1505 } else { 1506 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension(); 1507 if (ext == null) { 1508 return null; 1509 } 1510 extKeyUsage = 1511 Collections.unmodifiableList(ext.getExtendedKeyUsage()); 1512 return extKeyUsage; 1513 } 1514 } 1515 1516 /** 1517 * This static method is the default implementation of the 1518 * getExtendedKeyUsage method in X509Certificate. A 1519 * X509Certificate provider generally should overwrite this to 1520 * provide among other things caching for better performance. 1521 */ 1522 public static List<String> getExtendedKeyUsage(X509Certificate cert) 1523 throws CertificateParsingException { 1524 try { 1525 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID); 1526 if (ext == null) 1527 return null; 1528 DerValue val = new DerValue(ext); 1529 byte[] data = val.getOctetString(); 1530 1531 ExtendedKeyUsageExtension ekuExt = 1532 new ExtendedKeyUsageExtension(Boolean.FALSE, data); 1533 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage()); 1534 } catch (IOException ioe) { 1535 throw new CertificateParsingException(ioe); 1536 } 1537 } 1538 1539 /** 1540 * Get the certificate constraints path length from 1541 * the critical BasicConstraints extension, (oid = 2.5.29.19). 1542 * @return the length of the constraint. 1543 */ 1544 public int getBasicConstraints() { 1545 try { 1546 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id); 1547 if (extAlias == null) 1548 return -1; 1549 BasicConstraintsExtension certExt = 1550 (BasicConstraintsExtension)this.get(extAlias); 1551 if (certExt == null) 1552 return -1; 1553 1554 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA) 1555 ).booleanValue() == true) 1556 return ((Integer)certExt.get( 1557 BasicConstraintsExtension.PATH_LEN)).intValue(); 1558 else 1559 return -1; 1560 } catch (Exception e) { 1561 return -1; 1562 } 1563 } 1564 1565 /** 1566 * Converts a GeneralNames structure into an immutable Collection of 1567 * alternative names (subject or issuer) in the form required by 1568 * {@link #getSubjectAlternativeNames} or 1569 * {@link #getIssuerAlternativeNames}. 1570 * 1571 * @param names the GeneralNames to be converted 1572 * @return an immutable Collection of alternative names 1573 */ 1574 private static Collection<List<?>> makeAltNames(GeneralNames names) { 1575 if (names.isEmpty()) { 1576 return Collections.<List<?>>emptySet(); 1577 } 1578 List<List<?>> newNames = new ArrayList<>(); 1579 for (GeneralName gname : names.names()) { 1580 GeneralNameInterface name = gname.getName(); 1581 List<Object> nameEntry = new ArrayList<>(2); 1582 nameEntry.add(Integer.valueOf(name.getType())); 1583 switch (name.getType()) { 1584 case GeneralNameInterface.NAME_RFC822: 1585 nameEntry.add(((RFC822Name) name).getName()); 1586 break; 1587 case GeneralNameInterface.NAME_DNS: 1588 nameEntry.add(((DNSName) name).getName()); 1589 break; 1590 case GeneralNameInterface.NAME_DIRECTORY: 1591 nameEntry.add(((X500Name) name).getRFC2253Name()); 1592 break; 1593 case GeneralNameInterface.NAME_URI: 1594 nameEntry.add(((URIName) name).getName()); 1595 break; 1596 case GeneralNameInterface.NAME_IP: 1597 try { 1598 nameEntry.add(((IPAddressName) name).getName()); 1599 } catch (IOException ioe) { 1600 // IPAddressName in cert is bogus 1601 throw new RuntimeException("IPAddress cannot be parsed", 1602 ioe); 1603 } 1604 break; 1605 case GeneralNameInterface.NAME_OID: 1606 nameEntry.add(((OIDName) name).getOID().toString()); 1607 break; 1608 default: 1609 // add DER encoded form 1610 DerOutputStream derOut = new DerOutputStream(); 1611 try { 1612 name.encode(derOut); 1613 } catch (IOException ioe) { 1614 // should not occur since name has already been decoded 1615 // from cert (this would indicate a bug in our code) 1616 throw new RuntimeException("name cannot be encoded", ioe); 1617 } 1618 nameEntry.add(derOut.toByteArray()); 1619 break; 1620 } 1621 newNames.add(Collections.unmodifiableList(nameEntry)); 1622 } 1623 return Collections.unmodifiableCollection(newNames); 1624 } 1625 1626 /** 1627 * Checks a Collection of altNames and clones any name entries of type 1628 * byte []. 1629 */ // only partially generified due to javac bug 1630 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) { 1631 boolean mustClone = false; 1632 for (List<?> nameEntry : altNames) { 1633 if (nameEntry.get(1) instanceof byte[]) { 1634 // must clone names 1635 mustClone = true; 1636 } 1637 } 1638 if (mustClone) { 1639 List<List<?>> namesCopy = new ArrayList<>(); 1640 for (List<?> nameEntry : altNames) { 1641 Object nameObject = nameEntry.get(1); 1642 if (nameObject instanceof byte[]) { 1643 List<Object> nameEntryCopy = 1644 new ArrayList<>(nameEntry); 1645 nameEntryCopy.set(1, ((byte[])nameObject).clone()); 1646 namesCopy.add(Collections.unmodifiableList(nameEntryCopy)); 1647 } else { 1648 namesCopy.add(nameEntry); 1649 } 1650 } 1651 return Collections.unmodifiableCollection(namesCopy); 1652 } else { 1653 return altNames; 1654 } 1655 } 1656 1657 /** 1658 * This method are the overridden implementation of 1659 * getSubjectAlternativeNames method in X509Certificate in the Sun 1660 * provider. It is better performance-wise since it returns cached 1661 * values. 1662 */ 1663 public synchronized Collection<List<?>> getSubjectAlternativeNames() 1664 throws CertificateParsingException { 1665 // return cached value if we can 1666 if (readOnly && subjectAlternativeNames != null) { 1667 return cloneAltNames(subjectAlternativeNames); 1668 } 1669 SubjectAlternativeNameExtension subjectAltNameExt = 1670 getSubjectAlternativeNameExtension(); 1671 if (subjectAltNameExt == null) { 1672 return null; 1673 } 1674 GeneralNames names; 1675 try { 1676 names = subjectAltNameExt.get( 1677 SubjectAlternativeNameExtension.SUBJECT_NAME); 1678 } catch (IOException ioe) { 1679 // should not occur 1680 return Collections.<List<?>>emptySet(); 1681 } 1682 subjectAlternativeNames = makeAltNames(names); 1683 return subjectAlternativeNames; 1684 } 1685 1686 /** 1687 * This static method is the default implementation of the 1688 * getSubjectAlternaitveNames method in X509Certificate. A 1689 * X509Certificate provider generally should overwrite this to 1690 * provide among other things caching for better performance. 1691 */ 1692 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert) 1693 throws CertificateParsingException { 1694 try { 1695 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID); 1696 if (ext == null) { 1697 return null; 1698 } 1699 DerValue val = new DerValue(ext); 1700 byte[] data = val.getOctetString(); 1701 1702 SubjectAlternativeNameExtension subjectAltNameExt = 1703 new SubjectAlternativeNameExtension(Boolean.FALSE, 1704 data); 1705 1706 GeneralNames names; 1707 try { 1708 names = subjectAltNameExt.get( 1709 SubjectAlternativeNameExtension.SUBJECT_NAME); 1710 } catch (IOException ioe) { 1711 // should not occur 1712 return Collections.<List<?>>emptySet(); 1713 } 1714 return makeAltNames(names); 1715 } catch (IOException ioe) { 1716 throw new CertificateParsingException(ioe); 1717 } 1718 } 1719 1720 /** 1721 * This method are the overridden implementation of 1722 * getIssuerAlternativeNames method in X509Certificate in the Sun 1723 * provider. It is better performance-wise since it returns cached 1724 * values. 1725 */ 1726 public synchronized Collection<List<?>> getIssuerAlternativeNames() 1727 throws CertificateParsingException { 1728 // return cached value if we can 1729 if (readOnly && issuerAlternativeNames != null) { 1730 return cloneAltNames(issuerAlternativeNames); 1731 } 1732 IssuerAlternativeNameExtension issuerAltNameExt = 1733 getIssuerAlternativeNameExtension(); 1734 if (issuerAltNameExt == null) { 1735 return null; 1736 } 1737 GeneralNames names; 1738 try { 1739 names = issuerAltNameExt.get( 1740 IssuerAlternativeNameExtension.ISSUER_NAME); 1741 } catch (IOException ioe) { 1742 // should not occur 1743 return Collections.<List<?>>emptySet(); 1744 } 1745 issuerAlternativeNames = makeAltNames(names); 1746 return issuerAlternativeNames; 1747 } 1748 1749 /** 1750 * This static method is the default implementation of the 1751 * getIssuerAlternaitveNames method in X509Certificate. A 1752 * X509Certificate provider generally should overwrite this to 1753 * provide among other things caching for better performance. 1754 */ 1755 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert) 1756 throws CertificateParsingException { 1757 try { 1758 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID); 1759 if (ext == null) { 1760 return null; 1761 } 1762 1763 DerValue val = new DerValue(ext); 1764 byte[] data = val.getOctetString(); 1765 1766 IssuerAlternativeNameExtension issuerAltNameExt = 1767 new IssuerAlternativeNameExtension(Boolean.FALSE, 1768 data); 1769 GeneralNames names; 1770 try { 1771 names = issuerAltNameExt.get( 1772 IssuerAlternativeNameExtension.ISSUER_NAME); 1773 } catch (IOException ioe) { 1774 // should not occur 1775 return Collections.<List<?>>emptySet(); 1776 } 1777 return makeAltNames(names); 1778 } catch (IOException ioe) { 1779 throw new CertificateParsingException(ioe); 1780 } 1781 } 1782 1783 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() { 1784 return (AuthorityInfoAccessExtension) 1785 getExtension(PKIXExtensions.AuthInfoAccess_Id); 1786 } 1787 1788 /************************************************************/ 1789 1790 /* 1791 * Cert is a SIGNED ASN.1 macro, a three elment sequence: 1792 * 1793 * - Data to be signed (ToBeSigned) -- the "raw" cert 1794 * - Signature algorithm (SigAlgId) 1795 * - The signature bits 1796 * 1797 * This routine unmarshals the certificate, saving the signature 1798 * parts away for later verification. 1799 */ 1800 private void parse(DerValue val) 1801 throws CertificateException, IOException { 1802 // check if can over write the certificate 1803 if (readOnly) 1804 throw new CertificateParsingException( 1805 "cannot over-write existing certificate"); 1806 1807 if (val.data == null || val.tag != DerValue.tag_Sequence) 1808 throw new CertificateParsingException( 1809 "invalid DER-encoded certificate data"); 1810 1811 signedCert = val.toByteArray(); 1812 DerValue[] seq = new DerValue[3]; 1813 1814 seq[0] = val.data.getDerValue(); 1815 seq[1] = val.data.getDerValue(); 1816 seq[2] = val.data.getDerValue(); 1817 1818 if (val.data.available() != 0) { 1819 throw new CertificateParsingException("signed overrun, bytes = " 1820 + val.data.available()); 1821 } 1822 if (seq[0].tag != DerValue.tag_Sequence) { 1823 throw new CertificateParsingException("signed fields invalid"); 1824 } 1825 1826 algId = AlgorithmId.parse(seq[1]); 1827 signature = seq[2].getBitString(); 1828 1829 if (seq[1].data.available() != 0) { 1830 throw new CertificateParsingException("algid field overrun"); 1831 } 1832 if (seq[2].data.available() != 0) 1833 throw new CertificateParsingException("signed fields overrun"); 1834 1835 // The CertificateInfo 1836 info = new X509CertInfo(seq[0]); 1837 1838 // the "inner" and "outer" signature algorithms must match 1839 AlgorithmId infoSigAlg = (AlgorithmId)info.get( 1840 CertificateAlgorithmId.NAME 1841 + DOT + 1842 CertificateAlgorithmId.ALGORITHM); 1843 if (! algId.equals(infoSigAlg)) 1844 throw new CertificateException("Signature algorithm mismatch"); 1845 readOnly = true; 1846 } 1847 1848 /** 1849 * Extract the subject or issuer X500Principal from an X509Certificate. 1850 * Parses the encoded form of the cert to preserve the principal's 1851 * ASN.1 encoding. 1852 */ 1853 private static X500Principal getX500Principal(X509Certificate cert, 1854 boolean getIssuer) throws Exception { 1855 byte[] encoded = cert.getEncoded(); 1856 DerInputStream derIn = new DerInputStream(encoded); 1857 DerValue tbsCert = derIn.getSequence(3)[0]; 1858 DerInputStream tbsIn = tbsCert.data; 1859 DerValue tmp; 1860 tmp = tbsIn.getDerValue(); 1861 // skip version number if present 1862 if (tmp.isContextSpecific((byte)0)) { 1863 tmp = tbsIn.getDerValue(); 1864 } 1865 // tmp always contains serial number now 1866 tmp = tbsIn.getDerValue(); // skip signature 1867 tmp = tbsIn.getDerValue(); // issuer 1868 if (getIssuer == false) { 1869 tmp = tbsIn.getDerValue(); // skip validity 1870 tmp = tbsIn.getDerValue(); // subject 1871 } 1872 byte[] principalBytes = tmp.toByteArray(); 1873 return new X500Principal(principalBytes); 1874 } 1875 1876 /** 1877 * Extract the subject X500Principal from an X509Certificate. 1878 * Called from java.security.cert.X509Certificate.getSubjectX500Principal(). 1879 */ 1880 public static X500Principal getSubjectX500Principal(X509Certificate cert) { 1881 try { 1882 return getX500Principal(cert, false); 1883 } catch (Exception e) { 1884 throw new RuntimeException("Could not parse subject", e); 1885 } 1886 } 1887 1888 /** 1889 * Extract the issuer X500Principal from an X509Certificate. 1890 * Called from java.security.cert.X509Certificate.getIssuerX500Principal(). 1891 */ 1892 public static X500Principal getIssuerX500Principal(X509Certificate cert) { 1893 try { 1894 return getX500Principal(cert, true); 1895 } catch (Exception e) { 1896 throw new RuntimeException("Could not parse issuer", e); 1897 } 1898 } 1899 1900 /** 1901 * Returned the encoding of the given certificate for internal use. 1902 * Callers must guarantee that they neither modify it nor expose it 1903 * to untrusted code. Uses getEncodedInternal() if the certificate 1904 * is instance of X509CertImpl, getEncoded() otherwise. 1905 */ 1906 public static byte[] getEncodedInternal(Certificate cert) 1907 throws CertificateEncodingException { 1908 if (cert instanceof X509CertImpl) { 1909 return ((X509CertImpl)cert).getEncodedInternal(); 1910 } else { 1911 return cert.getEncoded(); 1912 } 1913 } 1914 1915 /** 1916 * Utility method to convert an arbitrary instance of X509Certificate 1917 * to a X509CertImpl. Does a cast if possible, otherwise reparses 1918 * the encoding. 1919 */ 1920 public static X509CertImpl toImpl(X509Certificate cert) 1921 throws CertificateException { 1922 if (cert instanceof X509CertImpl) { 1923 return (X509CertImpl)cert; 1924 } else { 1925 return X509Factory.intern(cert); 1926 } 1927 } 1928 1929 /** 1930 * Utility method to test if a certificate is self-issued. This is 1931 * the case iff the subject and issuer X500Principals are equal. 1932 */ 1933 public static boolean isSelfIssued(X509Certificate cert) { 1934 X500Principal subject = cert.getSubjectX500Principal(); 1935 X500Principal issuer = cert.getIssuerX500Principal(); 1936 return subject.equals(issuer); 1937 } 1938 1939 /** 1940 * Utility method to test if a certificate is self-signed. This is 1941 * the case iff the subject and issuer X500Principals are equal 1942 * AND the certificate's subject public key can be used to verify 1943 * the certificate. In case of exception, returns false. 1944 */ 1945 public static boolean isSelfSigned(X509Certificate cert, 1946 String sigProvider) { 1947 if (isSelfIssued(cert)) { 1948 try { 1949 if (sigProvider == null) { 1950 cert.verify(cert.getPublicKey()); 1951 } else { 1952 cert.verify(cert.getPublicKey(), sigProvider); 1953 } 1954 return true; 1955 } catch (Exception e) { 1956 // In case of exception, return false 1957 } 1958 } 1959 return false; 1960 } 1961 1962 private ConcurrentHashMap<String,String> fingerprints = 1963 new ConcurrentHashMap<>(2); 1964 1965 public String getFingerprint(String algorithm) { 1966 return fingerprints.computeIfAbsent(algorithm, 1967 x -> getFingerprint(x, this)); 1968 } 1969 1970 /** 1971 * Gets the requested finger print of the certificate. The result 1972 * only contains 0-9 and A-F. No small case, no colon. 1973 */ 1974 public static String getFingerprint(String algorithm, 1975 X509Certificate cert) { 1976 try { 1977 byte[] encCertInfo = cert.getEncoded(); 1978 MessageDigest md = MessageDigest.getInstance(algorithm); 1979 byte[] digest = md.digest(encCertInfo); 1980 StringBuilder sb = new StringBuilder(digest.length * 2); 1981 for (int i = 0; i < digest.length; i++) { 1982 byte2hex(digest[i], sb); 1983 } 1984 return sb.toString(); 1985 } catch (NoSuchAlgorithmException | CertificateEncodingException e) { 1986 // ignored 1987 } 1988 return ""; 1989 } 1990 1991 /** 1992 * Converts a byte to hex digit and writes to the supplied builder 1993 */ 1994 private static void byte2hex(byte b, StringBuilder buf) { 1995 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', 1996 '9', 'A', 'B', 'C', 'D', 'E', 'F' }; 1997 int high = ((b & 0xf0) >> 4); 1998 int low = (b & 0x0f); 1999 buf.append(hexChars[high]) 2000 .append(hexChars[low]); 2001 } 2002 }