src/share/classes/java/security/cert/X509CertSelector.java

Print this page




  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.io.IOException;
  29 import java.math.BigInteger;
  30 import java.security.PublicKey;
  31 import java.util.*;
  32 import javax.security.auth.x500.X500Principal;
  33 
  34 import sun.misc.HexDumpEncoder;
  35 import sun.security.util.Debug;
  36 import sun.security.util.DerInputStream;
  37 import sun.security.util.DerValue;
  38 import sun.security.util.ObjectIdentifier;
  39 import sun.security.x509.*;
  40 
  41 /**
  42  * A <code>CertSelector</code> that selects <code>X509Certificates</code> that
  43  * match all specified criteria. This class is particularly useful when
  44  * selecting certificates from a <code>CertStore</code> to build a
  45  * PKIX-compliant certification path.
  46  * <p>
  47  * When first constructed, an <code>X509CertSelector</code> has no criteria
  48  * enabled and each of the <code>get</code> methods return a default value
  49  * (<code>null</code>, or <code>-1</code> for the {@link #getBasicConstraints
  50  * getBasicConstraints} method). Therefore, the {@link #match match}
  51  * method would return <code>true</code> for any <code>X509Certificate</code>.
  52  * Typically, several criteria are enabled (by calling
  53  * {@link #setIssuer setIssuer} or
  54  * {@link #setKeyUsage setKeyUsage}, for instance) and then the
  55  * <code>X509CertSelector</code> is passed to
  56  * {@link CertStore#getCertificates CertStore.getCertificates} or some similar
  57  * method.
  58  * <p>
  59  * Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
  60  * and {@link #setSerialNumber setSerialNumber},
  61  * for example) such that the <code>match</code> method
  62  * usually uniquely matches a single <code>X509Certificate</code>. We say
  63  * usually, since it is possible for two issuing CAs to have the same
  64  * distinguished name and each issue a certificate with the same serial
  65  * number. Other unique combinations include the issuer, subject,
  66  * subjectKeyIdentifier and/or the subjectPublicKey criteria.
  67  * <p>
  68  * Please refer to <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280:
  69  * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for
  70  * definitions of the X.509 certificate extensions mentioned below.
  71  * <p>
  72  * <b>Concurrent Access</b>
  73  * <p>
  74  * Unless otherwise specified, the methods defined in this class are not
  75  * thread-safe. Multiple threads that need to access a single
  76  * object concurrently should synchronize amongst themselves and
  77  * provide the necessary locking. Multiple threads each manipulating
  78  * separate objects need not synchronize.
  79  *
  80  * @see CertSelector
  81  * @see X509Certificate
  82  *


 132     static {
 133         EXTENSION_OIDS[PRIVATE_KEY_USAGE_ID]  = "2.5.29.16";
 134         EXTENSION_OIDS[SUBJECT_ALT_NAME_ID]   = "2.5.29.17";
 135         EXTENSION_OIDS[NAME_CONSTRAINTS_ID]   = "2.5.29.30";
 136         EXTENSION_OIDS[CERT_POLICIES_ID]      = "2.5.29.32";
 137         EXTENSION_OIDS[EXTENDED_KEY_USAGE_ID] = "2.5.29.37";
 138     };
 139 
 140     /* Constants representing the GeneralName types */
 141     static final int NAME_ANY = 0;
 142     static final int NAME_RFC822 = 1;
 143     static final int NAME_DNS = 2;
 144     static final int NAME_X400 = 3;
 145     static final int NAME_DIRECTORY = 4;
 146     static final int NAME_EDI = 5;
 147     static final int NAME_URI = 6;
 148     static final int NAME_IP = 7;
 149     static final int NAME_OID = 8;
 150 
 151     /**
 152      * Creates an <code>X509CertSelector</code>. Initially, no criteria are set
 153      * so any <code>X509Certificate</code> will match.
 154      */
 155     public X509CertSelector() {
 156         // empty
 157     }
 158 
 159     /**
 160      * Sets the certificateEquals criterion. The specified
 161      * <code>X509Certificate</code> must be equal to the
 162      * <code>X509Certificate</code> passed to the <code>match</code> method.
 163      * If <code>null</code>, then this check is not applied.
 164      *
 165      * <p>This method is particularly useful when it is necessary to
 166      * match a single certificate. Although other criteria can be specified
 167      * in conjunction with the certificateEquals criterion, it is usually not
 168      * practical or necessary.
 169      *
 170      * @param cert the <code>X509Certificate</code> to match (or
 171      * <code>null</code>)
 172      * @see #getCertificate
 173      */
 174     public void setCertificate(X509Certificate cert) {
 175         x509Cert = cert;
 176     }
 177 
 178     /**
 179      * Sets the serialNumber criterion. The specified serial number
 180      * must match the certificate serial number in the
 181      * <code>X509Certificate</code>. If <code>null</code>, any certificate
 182      * serial number will do.
 183      *
 184      * @param serial the certificate serial number to match
 185      *        (or <code>null</code>)
 186      * @see #getSerialNumber
 187      */
 188     public void setSerialNumber(BigInteger serial) {
 189         serialNumber = serial;
 190     }
 191 
 192     /**
 193      * Sets the issuer criterion. The specified distinguished name
 194      * must match the issuer distinguished name in the
 195      * <code>X509Certificate</code>. If <code>null</code>, any issuer
 196      * distinguished name will do.
 197      *
 198      * @param issuer a distinguished name as X500Principal
 199      *                 (or <code>null</code>)
 200      * @since 1.5
 201      */
 202     public void setIssuer(X500Principal issuer) {
 203         this.issuer = issuer;
 204     }
 205 
 206     /**
 207      * <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
 208      * or {@linkplain #setIssuer(byte[])} instead. This method should not be
 209      * relied on as it can fail to match some certificates because of a loss of
 210      * encoding information in the
 211      * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
 212      * of some distinguished names.
 213      * <p>
 214      * Sets the issuer criterion. The specified distinguished name
 215      * must match the issuer distinguished name in the
 216      * <code>X509Certificate</code>. If <code>null</code>, any issuer
 217      * distinguished name will do.
 218      * <p>
 219      * If <code>issuerDN</code> is not <code>null</code>, it should contain a
 220      * distinguished name, in RFC 2253 format.
 221      *
 222      * @param issuerDN a distinguished name in RFC 2253 format
 223      *                 (or <code>null</code>)
 224      * @throws IOException if a parsing error occurs (incorrect form for DN)
 225      */
 226     public void setIssuer(String issuerDN) throws IOException {
 227         if (issuerDN == null) {
 228             issuer = null;
 229         } else {
 230             issuer = new X500Name(issuerDN).asX500Principal();
 231         }
 232     }
 233 
 234     /**
 235      * Sets the issuer criterion. The specified distinguished name
 236      * must match the issuer distinguished name in the
 237      * <code>X509Certificate</code>. If <code>null</code> is specified,
 238      * the issuer criterion is disabled and any issuer distinguished name will
 239      * do.
 240      * <p>
 241      * If <code>issuerDN</code> is not <code>null</code>, it should contain a
 242      * single DER encoded distinguished name, as defined in X.501. The ASN.1
 243      * notation for this structure is as follows.
 244      * <pre><code>
 245      * Name ::= CHOICE {
 246      *   RDNSequence }
 247      *
 248      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 249      *
 250      * RelativeDistinguishedName ::=
 251      *   SET SIZE (1 .. MAX) OF AttributeTypeAndValue
 252      *
 253      * AttributeTypeAndValue ::= SEQUENCE {
 254      *   type     AttributeType,
 255      *   value    AttributeValue }
 256      *
 257      * AttributeType ::= OBJECT IDENTIFIER
 258      *
 259      * AttributeValue ::= ANY DEFINED BY AttributeType
 260      * ....
 261      * DirectoryString ::= CHOICE {
 262      *       teletexString           TeletexString (SIZE (1..MAX)),
 263      *       printableString         PrintableString (SIZE (1..MAX)),
 264      *       universalString         UniversalString (SIZE (1..MAX)),
 265      *       utf8String              UTF8String (SIZE (1.. MAX)),
 266      *       bmpString               BMPString (SIZE (1..MAX)) }
 267      * </code></pre>
 268      * <p>
 269      * Note that the byte array specified here is cloned to protect against
 270      * subsequent modifications.
 271      *
 272      * @param issuerDN a byte array containing the distinguished name
 273      *                 in ASN.1 DER encoded form (or <code>null</code>)
 274      * @throws IOException if an encoding error occurs (incorrect form for DN)
 275      */
 276     public void setIssuer(byte[] issuerDN) throws IOException {
 277         try {
 278             issuer = (issuerDN == null ? null : new X500Principal(issuerDN));
 279         } catch (IllegalArgumentException e) {
 280             throw new IOException("Invalid name", e);
 281         }
 282     }
 283 
 284     /**
 285      * Sets the subject criterion. The specified distinguished name
 286      * must match the subject distinguished name in the
 287      * <code>X509Certificate</code>. If <code>null</code>, any subject
 288      * distinguished name will do.
 289      *
 290      * @param subject a distinguished name as X500Principal
 291      *                  (or <code>null</code>)
 292      * @since 1.5
 293      */
 294     public void setSubject(X500Principal subject) {
 295         this.subject = subject;
 296     }
 297 
 298     /**
 299      * <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
 300      * or {@linkplain #setSubject(byte[])} instead. This method should not be
 301      * relied on as it can fail to match some certificates because of a loss of
 302      * encoding information in the RFC 2253 String form of some distinguished
 303      * names.
 304      * <p>
 305      * Sets the subject criterion. The specified distinguished name
 306      * must match the subject distinguished name in the
 307      * <code>X509Certificate</code>. If <code>null</code>, any subject
 308      * distinguished name will do.
 309      * <p>
 310      * If <code>subjectDN</code> is not <code>null</code>, it should contain a
 311      * distinguished name, in RFC 2253 format.
 312      *
 313      * @param subjectDN a distinguished name in RFC 2253 format
 314      *                  (or <code>null</code>)
 315      * @throws IOException if a parsing error occurs (incorrect form for DN)
 316      */
 317     public void setSubject(String subjectDN) throws IOException {
 318         if (subjectDN == null) {
 319             subject = null;
 320         } else {
 321             subject = new X500Name(subjectDN).asX500Principal();
 322         }
 323     }
 324 
 325     /**
 326      * Sets the subject criterion. The specified distinguished name
 327      * must match the subject distinguished name in the
 328      * <code>X509Certificate</code>. If <code>null</code>, any subject
 329      * distinguished name will do.
 330      * <p>
 331      * If <code>subjectDN</code> is not <code>null</code>, it should contain a
 332      * single DER encoded distinguished name, as defined in X.501. For the ASN.1
 333      * notation for this structure, see
 334      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
 335      *
 336      * @param subjectDN a byte array containing the distinguished name in
 337      *                  ASN.1 DER format (or <code>null</code>)
 338      * @throws IOException if an encoding error occurs (incorrect form for DN)
 339      */
 340     public void setSubject(byte[] subjectDN) throws IOException {
 341         try {
 342             subject = (subjectDN == null ? null : new X500Principal(subjectDN));
 343         } catch (IllegalArgumentException e) {
 344             throw new IOException("Invalid name", e);
 345         }
 346     }
 347 
 348     /**
 349      * Sets the subjectKeyIdentifier criterion. The
 350      * <code>X509Certificate</code> must contain a SubjectKeyIdentifier
 351      * extension for which the contents of the extension
 352      * matches the specified criterion value.
 353      * If the criterion value is <code>null</code>, no
 354      * subjectKeyIdentifier check will be done.
 355      * <p>
 356      * If <code>subjectKeyID</code> is not <code>null</code>, it
 357      * should contain a single DER encoded value corresponding to the contents
 358      * of the extension value (not including the object identifier,
 359      * criticality setting, and encapsulating OCTET STRING)
 360      * for a SubjectKeyIdentifier extension.
 361      * The ASN.1 notation for this structure follows.
 362      * <p>
 363      * <pre><code>
 364      * SubjectKeyIdentifier ::= KeyIdentifier
 365      *
 366      * KeyIdentifier ::= OCTET STRING
 367      * </code></pre>
 368      * <p>
 369      * Since the format of subject key identifiers is not mandated by
 370      * any standard, subject key identifiers are not parsed by the
 371      * <code>X509CertSelector</code>. Instead, the values are compared using
 372      * a byte-by-byte comparison.
 373      * <p>
 374      * Note that the byte array supplied here is cloned to protect against
 375      * subsequent modifications.
 376      *
 377      * @param subjectKeyID the subject key identifier (or <code>null</code>)
 378      * @see #getSubjectKeyIdentifier
 379      */
 380     public void setSubjectKeyIdentifier(byte[] subjectKeyID) {
 381         if (subjectKeyID == null) {
 382             this.subjectKeyID = null;
 383         } else {
 384             this.subjectKeyID = subjectKeyID.clone();
 385         }
 386     }
 387 
 388     /**
 389      * Sets the authorityKeyIdentifier criterion. The
 390      * <code>X509Certificate</code> must contain an
 391      * AuthorityKeyIdentifier extension for which the contents of the
 392      * extension value matches the specified criterion value.
 393      * If the criterion value is <code>null</code>, no
 394      * authorityKeyIdentifier check will be done.
 395      * <p>
 396      * If <code>authorityKeyID</code> is not <code>null</code>, it
 397      * should contain a single DER encoded value corresponding to the contents
 398      * of the extension value (not including the object identifier,
 399      * criticality setting, and encapsulating OCTET STRING)
 400      * for an AuthorityKeyIdentifier extension.
 401      * The ASN.1 notation for this structure follows.
 402      * <p>
 403      * <pre><code>
 404      * AuthorityKeyIdentifier ::= SEQUENCE {
 405      *    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
 406      *    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
 407      *    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
 408      *
 409      * KeyIdentifier ::= OCTET STRING
 410      * </code></pre>
 411      * <p>
 412      * Authority key identifiers are not parsed by the
 413      * <code>X509CertSelector</code>.  Instead, the values are
 414      * compared using a byte-by-byte comparison.
 415      * <p>
 416      * When the <code>keyIdentifier</code> field of
 417      * <code>AuthorityKeyIdentifier</code> is populated, the value is
 418      * usually taken from the <code>SubjectKeyIdentifier</code> extension
 419      * in the issuer's certificate.  Note, however, that the result of
 420      * <code>X509Certificate.getExtensionValue(&lt;SubjectKeyIdentifier Object
 421      * Identifier&gt;)</code> on the issuer's certificate may NOT be used
 422      * directly as the input to <code>setAuthorityKeyIdentifier</code>.
 423      * This is because the SubjectKeyIdentifier contains
 424      * only a KeyIdentifier OCTET STRING, and not a SEQUENCE of
 425      * KeyIdentifier, GeneralNames, and CertificateSerialNumber.
 426      * In order to use the extension value of the issuer certificate's
 427      * <code>SubjectKeyIdentifier</code>
 428      * extension, it will be necessary to extract the value of the embedded
 429      * <code>KeyIdentifier</code> OCTET STRING, then DER encode this OCTET
 430      * STRING inside a SEQUENCE.
 431      * For more details on SubjectKeyIdentifier, see
 432      * {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}.
 433      * <p>
 434      * Note also that the byte array supplied here is cloned to protect against
 435      * subsequent modifications.
 436      *
 437      * @param authorityKeyID the authority key identifier
 438      *        (or <code>null</code>)
 439      * @see #getAuthorityKeyIdentifier
 440      */
 441     public void setAuthorityKeyIdentifier(byte[] authorityKeyID) {
 442         if (authorityKeyID == null) {
 443             this.authorityKeyID = null;
 444         } else {
 445             this.authorityKeyID = authorityKeyID.clone();
 446         }
 447     }
 448 
 449     /**
 450      * Sets the certificateValid criterion. The specified date must fall
 451      * within the certificate validity period for the
 452      * <code>X509Certificate</code>. If <code>null</code>, no certificateValid
 453      * check will be done.
 454      * <p>
 455      * Note that the <code>Date</code> supplied here is cloned to protect
 456      * against subsequent modifications.
 457      *
 458      * @param certValid the <code>Date</code> to check (or <code>null</code>)
 459      * @see #getCertificateValid
 460      */
 461     public void setCertificateValid(Date certValid) {
 462         if (certValid == null) {
 463             certificateValid = null;
 464         } else {
 465             certificateValid = (Date)certValid.clone();
 466         }
 467     }
 468 
 469     /**
 470      * Sets the privateKeyValid criterion. The specified date must fall
 471      * within the private key validity period for the
 472      * <code>X509Certificate</code>. If <code>null</code>, no privateKeyValid
 473      * check will be done.
 474      * <p>
 475      * Note that the <code>Date</code> supplied here is cloned to protect
 476      * against subsequent modifications.
 477      *
 478      * @param privateKeyValid the <code>Date</code> to check (or
 479      *                        <code>null</code>)
 480      * @see #getPrivateKeyValid
 481      */
 482     public void setPrivateKeyValid(Date privateKeyValid) {
 483         if (privateKeyValid == null) {
 484             this.privateKeyValid = null;
 485         } else {
 486             this.privateKeyValid = (Date)privateKeyValid.clone();
 487         }
 488     }
 489 
 490     /**
 491      * Sets the subjectPublicKeyAlgID criterion. The
 492      * <code>X509Certificate</code> must contain a subject public key
 493      * with the specified algorithm. If <code>null</code>, no
 494      * subjectPublicKeyAlgID check will be done.
 495      *
 496      * @param oid The object identifier (OID) of the algorithm to check
 497      *            for (or <code>null</code>). An OID is represented by a
 498      *            set of nonnegative integers separated by periods.
 499      * @throws IOException if the OID is invalid, such as
 500      * the first component being not 0, 1 or 2 or the second component
 501      * being greater than 39.
 502      *
 503      * @see #getSubjectPublicKeyAlgID
 504      */
 505     public void setSubjectPublicKeyAlgID(String oid) throws IOException {
 506         if (oid == null) {
 507             subjectPublicKeyAlgID = null;
 508         } else {
 509             subjectPublicKeyAlgID = new ObjectIdentifier(oid);
 510         }
 511     }
 512 
 513     /**
 514      * Sets the subjectPublicKey criterion. The
 515      * <code>X509Certificate</code> must contain the specified subject public
 516      * key. If <code>null</code>, no subjectPublicKey check will be done.
 517      *
 518      * @param key the subject public key to check for (or <code>null</code>)
 519      * @see #getSubjectPublicKey
 520      */
 521     public void setSubjectPublicKey(PublicKey key) {
 522         if (key == null) {
 523             subjectPublicKey = null;
 524             subjectPublicKeyBytes = null;
 525         } else {
 526             subjectPublicKey = key;
 527             subjectPublicKeyBytes = key.getEncoded();
 528         }
 529     }
 530 
 531     /**
 532      * Sets the subjectPublicKey criterion. The <code>X509Certificate</code>
 533      * must contain the specified subject public key. If <code>null</code>,
 534      * no subjectPublicKey check will be done.
 535      * <p>
 536      * Because this method allows the public key to be specified as a byte
 537      * array, it may be used for unknown key types.
 538      * <p>
 539      * If <code>key</code> is not <code>null</code>, it should contain a
 540      * single DER encoded SubjectPublicKeyInfo structure, as defined in X.509.
 541      * The ASN.1 notation for this structure is as follows.
 542      * <pre><code>
 543      * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 544      *   algorithm            AlgorithmIdentifier,
 545      *   subjectPublicKey     BIT STRING  }
 546      *
 547      * AlgorithmIdentifier  ::=  SEQUENCE  {
 548      *   algorithm               OBJECT IDENTIFIER,
 549      *   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 550      *                              -- contains a value of the type
 551      *                              -- registered for use with the
 552      *                              -- algorithm object identifier value
 553      * </code></pre>
 554      * <p>
 555      * Note that the byte array supplied here is cloned to protect against
 556      * subsequent modifications.
 557      *
 558      * @param key a byte array containing the subject public key in ASN.1 DER
 559      *            form (or <code>null</code>)
 560      * @throws IOException if an encoding error occurs (incorrect form for
 561      * subject public key)
 562      * @see #getSubjectPublicKey
 563      */
 564     public void setSubjectPublicKey(byte[] key) throws IOException {
 565         if (key == null) {
 566             subjectPublicKey = null;
 567             subjectPublicKeyBytes = null;
 568         } else {
 569             subjectPublicKeyBytes = key.clone();
 570             subjectPublicKey = X509Key.parse(new DerValue(subjectPublicKeyBytes));
 571         }
 572     }
 573 
 574     /**
 575      * Sets the keyUsage criterion. The <code>X509Certificate</code>
 576      * must allow the specified keyUsage values. If <code>null</code>, no
 577      * keyUsage check will be done. Note that an <code>X509Certificate</code>
 578      * that has no keyUsage extension implicitly allows all keyUsage values.
 579      * <p>
 580      * Note that the boolean array supplied here is cloned to protect against
 581      * subsequent modifications.
 582      *
 583      * @param keyUsage a boolean array in the same format as the boolean
 584      *                 array returned by
 585      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
 586      *                 Or <code>null</code>.
 587      * @see #getKeyUsage
 588      */
 589     public void setKeyUsage(boolean[] keyUsage) {
 590         if (keyUsage == null) {
 591             this.keyUsage = null;
 592         } else {
 593             this.keyUsage = keyUsage.clone();
 594         }
 595     }
 596 
 597     /**
 598      * Sets the extendedKeyUsage criterion. The <code>X509Certificate</code>
 599      * must allow the specified key purposes in its extended key usage
 600      * extension. If <code>keyPurposeSet</code> is empty or <code>null</code>,
 601      * no extendedKeyUsage check will be done. Note that an
 602      * <code>X509Certificate</code> that has no extendedKeyUsage extension
 603      * implicitly allows all key purposes.
 604      * <p>
 605      * Note that the <code>Set</code> is cloned to protect against
 606      * subsequent modifications.
 607      *
 608      * @param keyPurposeSet a <code>Set</code> of key purpose OIDs in string
 609      * format (or <code>null</code>). Each OID is represented by a set of
 610      * nonnegative integers separated by periods.
 611      * @throws IOException if the OID is invalid, such as
 612      * the first component being not 0, 1 or 2 or the second component
 613      * being greater than 39.
 614      * @see #getExtendedKeyUsage
 615      */
 616     public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException {
 617         if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
 618             this.keyPurposeSet = null;
 619             keyPurposeOIDSet = null;
 620         } else {
 621             this.keyPurposeSet =
 622                 Collections.unmodifiableSet(new HashSet<String>(keyPurposeSet));
 623             keyPurposeOIDSet = new HashSet<ObjectIdentifier>();
 624             for (String s : this.keyPurposeSet) {
 625                 keyPurposeOIDSet.add(new ObjectIdentifier(s));
 626             }
 627         }
 628     }
 629 
 630     /**
 631      * Enables/disables matching all of the subjectAlternativeNames
 632      * specified in the {@link #setSubjectAlternativeNames
 633      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
 634      * addSubjectAlternativeName} methods. If enabled,
 635      * the <code>X509Certificate</code> must contain all of the
 636      * specified subject alternative names. If disabled, the
 637      * <code>X509Certificate</code> must contain at least one of the
 638      * specified subject alternative names.
 639      *
 640      * <p>The matchAllNames flag is <code>true</code> by default.
 641      *
 642      * @param matchAllNames if <code>true</code>, the flag is enabled;
 643      * if <code>false</code>, the flag is disabled.
 644      * @see #getMatchAllSubjectAltNames
 645      */
 646     public void setMatchAllSubjectAltNames(boolean matchAllNames) {
 647         this.matchAllSubjectAltNames = matchAllNames;
 648     }
 649 
 650     /**
 651      * Sets the subjectAlternativeNames criterion. The
 652      * <code>X509Certificate</code> must contain all or at least one of the
 653      * specified subjectAlternativeNames, depending on the value of
 654      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 655      * setMatchAllSubjectAltNames}).
 656      * <p>
 657      * This method allows the caller to specify, with a single method call,
 658      * the complete set of subject alternative names for the
 659      * subjectAlternativeNames criterion. The specified value replaces
 660      * the previous value for the subjectAlternativeNames criterion.
 661      * <p>
 662      * The <code>names</code> parameter (if not <code>null</code>) is a
 663      * <code>Collection</code> with one
 664      * entry for each name to be included in the subject alternative name
 665      * criterion. Each entry is a <code>List</code> whose first entry is an
 666      * <code>Integer</code> (the name type, 0-8) and whose second
 667      * entry is a <code>String</code> or a byte array (the name, in
 668      * string or ASN.1 DER encoded form, respectively).
 669      * There can be multiple names of the same type. If <code>null</code>
 670      * is supplied as the value for this argument, no
 671      * subjectAlternativeNames check will be performed.
 672      * <p>
 673      * Each subject alternative name in the <code>Collection</code>
 674      * may be specified either as a <code>String</code> or as an ASN.1 encoded
 675      * byte array. For more details about the formats used, see
 676      * {@link #addSubjectAlternativeName(int type, String name)
 677      * addSubjectAlternativeName(int type, String name)} and
 678      * {@link #addSubjectAlternativeName(int type, byte [] name)
 679      * addSubjectAlternativeName(int type, byte [] name)}.
 680      * <p>
 681      * <strong>Note:</strong> for distinguished names, specify the byte
 682      * array form instead of the String form. See the note in
 683      * {@link #addSubjectAlternativeName(int, String)} for more information.
 684      * <p>
 685      * Note that the <code>names</code> parameter can contain duplicate
 686      * names (same name and name type), but they may be removed from the
 687      * <code>Collection</code> of names returned by the
 688      * {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method.
 689      * <p>
 690      * Note that a deep copy is performed on the <code>Collection</code> to
 691      * protect against subsequent modifications.
 692      *
 693      * @param names a <code>Collection</code> of names (or <code>null</code>)
 694      * @throws IOException if a parsing error occurs
 695      * @see #getSubjectAlternativeNames
 696      */
 697     public void setSubjectAlternativeNames(Collection<List<?>> names)
 698             throws IOException {
 699         if (names == null) {
 700             subjectAlternativeNames = null;
 701             subjectAlternativeGeneralNames = null;
 702         } else {
 703             if (names.isEmpty()) {
 704                 subjectAlternativeNames = null;
 705                 subjectAlternativeGeneralNames = null;
 706                 return;
 707             }
 708             Set<List<?>> tempNames = cloneAndCheckNames(names);
 709             // Ensure that we either set both of these or neither
 710             subjectAlternativeGeneralNames = parseNames(tempNames);
 711             subjectAlternativeNames = tempNames;
 712         }
 713     }
 714 
 715     /**
 716      * Adds a name to the subjectAlternativeNames criterion. The
 717      * <code>X509Certificate</code> must contain all or at least one
 718      * of the specified subjectAlternativeNames, depending on the value of
 719      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 720      * setMatchAllSubjectAltNames}).
 721      * <p>
 722      * This method allows the caller to add a name to the set of subject
 723      * alternative names.
 724      * The specified name is added to any previous value for the
 725      * subjectAlternativeNames criterion. If the specified name is a
 726      * duplicate, it may be ignored.
 727      * <p>
 728      * The name is provided in string format.
 729      * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
 730      * names use the well-established string formats for those types (subject to
 731      * the restrictions included in RFC 3280). IPv4 address names are
 732      * supplied using dotted quad notation. OID address names are represented
 733      * as a series of nonnegative integers separated by periods. And
 734      * directory names (distinguished names) are supplied in RFC 2253 format.
 735      * No standard string format is defined for otherNames, X.400 names,
 736      * EDI party names, IPv6 address names, or any other type of names. They
 737      * should be specified using the
 738      * {@link #addSubjectAlternativeName(int type, byte [] name)
 739      * addSubjectAlternativeName(int type, byte [] name)}
 740      * method.
 741      * <p>
 742      * <strong>Note:</strong> for distinguished names, use
 743      * {@linkplain #addSubjectAlternativeName(int, byte[])} instead.
 744      * This method should not be relied on as it can fail to match some
 745      * certificates because of a loss of encoding information in the RFC 2253
 746      * String form of some distinguished names.
 747      *
 748      * @param type the name type (0-8, as specified in
 749      *             RFC 3280, section 4.2.1.7)
 750      * @param name the name in string form (not <code>null</code>)
 751      * @throws IOException if a parsing error occurs
 752      */
 753     public void addSubjectAlternativeName(int type, String name)
 754             throws IOException {
 755         addSubjectAlternativeNameInternal(type, name);
 756     }
 757 
 758     /**
 759      * Adds a name to the subjectAlternativeNames criterion. The
 760      * <code>X509Certificate</code> must contain all or at least one
 761      * of the specified subjectAlternativeNames, depending on the value of
 762      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 763      * setMatchAllSubjectAltNames}).
 764      * <p>
 765      * This method allows the caller to add a name to the set of subject
 766      * alternative names.
 767      * The specified name is added to any previous value for the
 768      * subjectAlternativeNames criterion. If the specified name is a
 769      * duplicate, it may be ignored.
 770      * <p>
 771      * The name is provided as a byte array. This byte array should contain
 772      * the DER encoded name, as it would appear in the GeneralName structure
 773      * defined in RFC 3280 and X.509. The encoded byte array should only contain
 774      * the encoded value of the name, and should not include the tag associated
 775      * with the name in the GeneralName structure. The ASN.1 definition of this
 776      * structure appears below.
 777      * <pre><code>
 778      *  GeneralName ::= CHOICE {
 779      *       otherName                       [0]     OtherName,
 780      *       rfc822Name                      [1]     IA5String,
 781      *       dNSName                         [2]     IA5String,
 782      *       x400Address                     [3]     ORAddress,
 783      *       directoryName                   [4]     Name,
 784      *       ediPartyName                    [5]     EDIPartyName,
 785      *       uniformResourceIdentifier       [6]     IA5String,
 786      *       iPAddress                       [7]     OCTET STRING,
 787      *       registeredID                    [8]     OBJECT IDENTIFIER}
 788      * </code></pre>
 789      * <p>
 790      * Note that the byte array supplied here is cloned to protect against
 791      * subsequent modifications.
 792      *
 793      * @param type the name type (0-8, as listed above)
 794      * @param name a byte array containing the name in ASN.1 DER encoded form
 795      * @throws IOException if a parsing error occurs
 796      */
 797     public void addSubjectAlternativeName(int type, byte[] name)
 798             throws IOException {
 799         // clone because byte arrays are modifiable
 800         addSubjectAlternativeNameInternal(type, name.clone());
 801     }
 802 
 803     /**
 804      * A private method that adds a name (String or byte array) to the
 805      * subjectAlternativeNames criterion. The <code>X509Certificate</code>
 806      * must contain the specified subjectAlternativeName.
 807      *
 808      * @param type the name type (0-8, as specified in
 809      *             RFC 3280, section 4.2.1.7)
 810      * @param name the name in string or byte array form
 811      * @throws IOException if a parsing error occurs
 812      */
 813     private void addSubjectAlternativeNameInternal(int type, Object name)
 814             throws IOException {
 815         // First, ensure that the name parses
 816         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
 817         if (subjectAlternativeNames == null) {
 818             subjectAlternativeNames = new HashSet<List<?>>();
 819         }
 820         if (subjectAlternativeGeneralNames == null) {
 821             subjectAlternativeGeneralNames = new HashSet<GeneralNameInterface>();
 822         }
 823         List<Object> list = new ArrayList<Object>(2);
 824         list.add(Integer.valueOf(type));
 825         list.add(name);
 826         subjectAlternativeNames.add(list);
 827         subjectAlternativeGeneralNames.add(tempName);
 828     }
 829 
 830     /**
 831      * Parse an argument of the form passed to setSubjectAlternativeNames,
 832      * returning a <code>Collection</code> of
 833      * <code>GeneralNameInterface</code>s.
 834      * Throw an IllegalArgumentException or a ClassCastException
 835      * if the argument is malformed.
 836      *
 837      * @param names a Collection with one entry per name.
 838      *              Each entry is a <code>List</code> whose first entry
 839      *              is an Integer (the name type, 0-8) and whose second
 840      *              entry is a String or a byte array (the name, in
 841      *              string or ASN.1 DER encoded form, respectively).
 842      *              There can be multiple names of the same type. Null is
 843      *              not an acceptable value.
 844      * @return a Set of <code>GeneralNameInterface</code>s
 845      * @throws IOException if a parsing error occurs
 846      */
 847     private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException {
 848         Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>();
 849         for (List<?> nameList : names) {
 850             if (nameList.size() != 2) {
 851                 throw new IOException("name list size not 2");
 852             }
 853             Object o =  nameList.get(0);
 854             if (!(o instanceof Integer)) {
 855                 throw new IOException("expected an Integer");
 856             }
 857             int nameType = ((Integer)o).intValue();
 858             o = nameList.get(1);
 859             genNames.add(makeGeneralNameInterface(nameType, o));
 860         }
 861 
 862         return genNames;
 863     }
 864 
 865     /**
 866      * Compare for equality two objects of the form passed to
 867      * setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames).
 868      * Throw an <code>IllegalArgumentException</code> or a
 869      * <code>ClassCastException</code> if one of the objects is malformed.
 870      *
 871      * @param object1 a Collection containing the first object to compare
 872      * @param object2 a Collection containing the second object to compare
 873      * @return true if the objects are equal, false otherwise
 874      */
 875     static boolean equalNames(Collection<?> object1, Collection<?> object2) {
 876         if ((object1 == null) || (object2 == null)) {
 877             return object1 == object2;
 878         }
 879         return object1.equals(object2);
 880     }
 881 
 882     /**
 883      * Make a <code>GeneralNameInterface</code> out of a name type (0-8) and an
 884      * Object that may be a byte array holding the ASN.1 DER encoded
 885      * name or a String form of the name.  Except for X.509
 886      * Distinguished Names, the String form of the name must not be the
 887      * result from calling toString on an existing GeneralNameInterface
 888      * implementing class.  The output of toString is not compatible
 889      * with the String constructors for names other than Distinguished
 890      * Names.
 891      *
 892      * @param type name type (0-8)
 893      * @param name name as ASN.1 Der-encoded byte array or String
 894      * @return a GeneralNameInterface name
 895      * @throws IOException if a parsing error occurs
 896      */
 897     static GeneralNameInterface makeGeneralNameInterface(int type, Object name)
 898             throws IOException {
 899         GeneralNameInterface result;
 900         if (debug != null) {
 901             debug.println("X509CertSelector.makeGeneralNameInterface("
 902                 + type + ")...");
 903         }


 972             default:
 973                 throw new IOException("unable to parse byte array names of "
 974                     + "type " + type);
 975             }
 976             if (debug != null) {
 977                 debug.println("X509CertSelector.makeGeneralNameInterface() result: "
 978                     + result.toString());
 979             }
 980         } else {
 981             if (debug != null) {
 982                 debug.println("X509CertSelector.makeGeneralName() input name "
 983                     + "not String or byte array");
 984             }
 985             throw new IOException("name not String or byte array");
 986         }
 987         return result;
 988     }
 989 
 990 
 991     /**
 992      * Sets the name constraints criterion. The <code>X509Certificate</code>
 993      * must have subject and subject alternative names that
 994      * meet the specified name constraints.
 995      * <p>
 996      * The name constraints are specified as a byte array. This byte array
 997      * should contain the DER encoded form of the name constraints, as they
 998      * would appear in the NameConstraints structure defined in RFC 3280
 999      * and X.509. The ASN.1 definition of this structure appears below.
1000      *
1001      * <pre><code>
1002      *  NameConstraints ::= SEQUENCE {
1003      *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
1004      *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
1005      *
1006      *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1007      *
1008      *  GeneralSubtree ::= SEQUENCE {
1009      *       base                    GeneralName,
1010      *       minimum         [0]     BaseDistance DEFAULT 0,
1011      *       maximum         [1]     BaseDistance OPTIONAL }
1012      *
1013      *  BaseDistance ::= INTEGER (0..MAX)
1014      *
1015      *  GeneralName ::= CHOICE {
1016      *       otherName                       [0]     OtherName,
1017      *       rfc822Name                      [1]     IA5String,
1018      *       dNSName                         [2]     IA5String,
1019      *       x400Address                     [3]     ORAddress,
1020      *       directoryName                   [4]     Name,
1021      *       ediPartyName                    [5]     EDIPartyName,
1022      *       uniformResourceIdentifier       [6]     IA5String,
1023      *       iPAddress                       [7]     OCTET STRING,
1024      *       registeredID                    [8]     OBJECT IDENTIFIER}
1025      * </code></pre>
1026      * <p>
1027      * Note that the byte array supplied here is cloned to protect against
1028      * subsequent modifications.
1029      *
1030      * @param bytes a byte array containing the ASN.1 DER encoding of
1031      *              a NameConstraints extension to be used for checking
1032      *              name constraints. Only the value of the extension is
1033      *              included, not the OID or criticality flag. Can be
1034      *              <code>null</code>,
1035      *              in which case no name constraints check will be performed.
1036      * @throws IOException if a parsing error occurs
1037      * @see #getNameConstraints
1038      */
1039     public void setNameConstraints(byte[] bytes) throws IOException {
1040         if (bytes == null) {
1041             ncBytes = null;
1042             nc = null;
1043         } else {
1044             ncBytes = bytes.clone();
1045             nc = new NameConstraintsExtension(FALSE, bytes);
1046         }
1047     }
1048 
1049     /**
1050      * Sets the basic constraints constraint. If the value is greater than or
1051      * equal to zero, <code>X509Certificates</code> must include a
1052      * basicConstraints extension with
1053      * a pathLen of at least this value. If the value is -2, only end-entity
1054      * certificates are accepted. If the value is -1, no check is done.
1055      * <p>
1056      * This constraint is useful when building a certification path forward
1057      * (from the target toward the trust anchor. If a partial path has been
1058      * built, any candidate certificate must have a maxPathLen value greater
1059      * than or equal to the number of certificates in the partial path.
1060      *
1061      * @param minMaxPathLen the value for the basic constraints constraint
1062      * @throws IllegalArgumentException if the value is less than -2
1063      * @see #getBasicConstraints
1064      */
1065     public void setBasicConstraints(int minMaxPathLen) {
1066         if (minMaxPathLen < -2) {
1067             throw new IllegalArgumentException("basic constraints less than -2");
1068         }
1069         basicConstraints = minMaxPathLen;
1070     }
1071 
1072     /**
1073      * Sets the policy constraint. The <code>X509Certificate</code> must
1074      * include at least one of the specified policies in its certificate
1075      * policies extension. If <code>certPolicySet</code> is empty, then the
1076      * <code>X509Certificate</code> must include at least some specified policy
1077      * in its certificate policies extension. If <code>certPolicySet</code> is
1078      * <code>null</code>, no policy check will be performed.
1079      * <p>
1080      * Note that the <code>Set</code> is cloned to protect against
1081      * subsequent modifications.
1082      *
1083      * @param certPolicySet a <code>Set</code> of certificate policy OIDs in
1084      *                      string format (or <code>null</code>). Each OID is
1085      *                      represented by a set of nonnegative integers
1086      *                    separated by periods.
1087      * @throws IOException if a parsing error occurs on the OID such as
1088      * the first component is not 0, 1 or 2 or the second component is
1089      * greater than 39.
1090      * @see #getPolicy
1091      */
1092     public void setPolicy(Set<String> certPolicySet) throws IOException {
1093         if (certPolicySet == null) {
1094             policySet = null;
1095             policy = null;
1096         } else {
1097             // Snapshot set and parse it
1098             Set<String> tempSet = Collections.unmodifiableSet
1099                                         (new HashSet<String>(certPolicySet));
1100             /* Convert to Vector of ObjectIdentifiers */
1101             Iterator<String> i = tempSet.iterator();
1102             Vector<CertificatePolicyId> polIdVector = new Vector<CertificatePolicyId>();
1103             while (i.hasNext()) {
1104                 Object o = i.next();
1105                 if (!(o instanceof String)) {
1106                     throw new IOException("non String in certPolicySet");
1107                 }
1108                 polIdVector.add(new CertificatePolicyId(new ObjectIdentifier(
1109                   (String)o)));
1110             }
1111             // If everything went OK, make the changes
1112             policySet = tempSet;
1113             policy = new CertificatePolicySet(polIdVector);
1114         }
1115     }
1116 
1117     /**
1118      * Sets the pathToNames criterion. The <code>X509Certificate</code> must
1119      * not include name constraints that would prohibit building a
1120      * path to the specified names.
1121      * <p>
1122      * This method allows the caller to specify, with a single method call,
1123      * the complete set of names which the <code>X509Certificates</code>'s
1124      * name constraints must permit. The specified value replaces
1125      * the previous value for the pathToNames criterion.
1126      * <p>
1127      * This constraint is useful when building a certification path forward
1128      * (from the target toward the trust anchor. If a partial path has been
1129      * built, any candidate certificate must not include name constraints that
1130      * would prohibit building a path to any of the names in the partial path.
1131      * <p>
1132      * The <code>names</code> parameter (if not <code>null</code>) is a
1133      * <code>Collection</code> with one
1134      * entry for each name to be included in the pathToNames
1135      * criterion. Each entry is a <code>List</code> whose first entry is an
1136      * <code>Integer</code> (the name type, 0-8) and whose second
1137      * entry is a <code>String</code> or a byte array (the name, in
1138      * string or ASN.1 DER encoded form, respectively).
1139      * There can be multiple names of the same type. If <code>null</code>
1140      * is supplied as the value for this argument, no
1141      * pathToNames check will be performed.
1142      * <p>
1143      * Each name in the <code>Collection</code>
1144      * may be specified either as a <code>String</code> or as an ASN.1 encoded
1145      * byte array. For more details about the formats used, see
1146      * {@link #addPathToName(int type, String name)
1147      * addPathToName(int type, String name)} and
1148      * {@link #addPathToName(int type, byte [] name)
1149      * addPathToName(int type, byte [] name)}.
1150      * <p>
1151      * <strong>Note:</strong> for distinguished names, specify the byte
1152      * array form instead of the String form. See the note in
1153      * {@link #addPathToName(int, String)} for more information.
1154      * <p>
1155      * Note that the <code>names</code> parameter can contain duplicate
1156      * names (same name and name type), but they may be removed from the
1157      * <code>Collection</code> of names returned by the
1158      * {@link #getPathToNames getPathToNames} method.
1159      * <p>
1160      * Note that a deep copy is performed on the <code>Collection</code> to
1161      * protect against subsequent modifications.
1162      *
1163      * @param names a <code>Collection</code> with one entry per name
1164      *              (or <code>null</code>)
1165      * @throws IOException if a parsing error occurs
1166      * @see #getPathToNames
1167      */
1168     public void setPathToNames(Collection<List<?>> names) throws IOException {
1169         if ((names == null) || names.isEmpty()) {
1170             pathToNames = null;
1171             pathToGeneralNames = null;
1172         } else {
1173             Set<List<?>> tempNames = cloneAndCheckNames(names);
1174             pathToGeneralNames = parseNames(tempNames);
1175             // Ensure that we either set both of these or neither
1176             pathToNames = tempNames;
1177         }
1178     }
1179 
1180     // called from CertPathHelper
1181     void setPathToNamesInternal(Set<GeneralNameInterface> names) {
1182         // set names to non-null dummy value
1183         // this breaks getPathToNames()
1184         pathToNames = Collections.<List<?>>emptySet();
1185         pathToGeneralNames = names;
1186     }
1187 
1188     /**
1189      * Adds a name to the pathToNames criterion. The <code>X509Certificate</code>
1190      * must not include name constraints that would prohibit building a
1191      * path to the specified name.
1192      * <p>
1193      * This method allows the caller to add a name to the set of names which
1194      * the <code>X509Certificates</code>'s name constraints must permit.
1195      * The specified name is added to any previous value for the
1196      * pathToNames criterion.  If the name is a duplicate, it may be ignored.
1197      * <p>
1198      * The name is provided in string format. RFC 822, DNS, and URI names
1199      * use the well-established string formats for those types (subject to
1200      * the restrictions included in RFC 3280). IPv4 address names are
1201      * supplied using dotted quad notation. OID address names are represented
1202      * as a series of nonnegative integers separated by periods. And
1203      * directory names (distinguished names) are supplied in RFC 2253 format.
1204      * No standard string format is defined for otherNames, X.400 names,
1205      * EDI party names, IPv6 address names, or any other type of names. They
1206      * should be specified using the
1207      * {@link #addPathToName(int type, byte [] name)
1208      * addPathToName(int type, byte [] name)} method.
1209      * <p>
1210      * <strong>Note:</strong> for distinguished names, use
1211      * {@linkplain #addPathToName(int, byte[])} instead.
1212      * This method should not be relied on as it can fail to match some
1213      * certificates because of a loss of encoding information in the RFC 2253
1214      * String form of some distinguished names.
1215      *
1216      * @param type the name type (0-8, as specified in
1217      *             RFC 3280, section 4.2.1.7)
1218      * @param name the name in string form
1219      * @throws IOException if a parsing error occurs
1220      */
1221     public void addPathToName(int type, String name) throws IOException {
1222         addPathToNameInternal(type, name);
1223     }
1224 
1225     /**
1226      * Adds a name to the pathToNames criterion. The <code>X509Certificate</code>
1227      * must not include name constraints that would prohibit building a
1228      * path to the specified name.
1229      * <p>
1230      * This method allows the caller to add a name to the set of names which
1231      * the <code>X509Certificates</code>'s name constraints must permit.
1232      * The specified name is added to any previous value for the
1233      * pathToNames criterion. If the name is a duplicate, it may be ignored.
1234      * <p>
1235      * The name is provided as a byte array. This byte array should contain
1236      * the DER encoded name, as it would appear in the GeneralName structure
1237      * defined in RFC 3280 and X.509. The ASN.1 definition of this structure
1238      * appears in the documentation for
1239      * {@link #addSubjectAlternativeName(int type, byte [] name)
1240      * addSubjectAlternativeName(int type, byte [] name)}.
1241      * <p>
1242      * Note that the byte array supplied here is cloned to protect against
1243      * subsequent modifications.
1244      *
1245      * @param type the name type (0-8, as specified in
1246      *             RFC 3280, section 4.2.1.7)
1247      * @param name a byte array containing the name in ASN.1 DER encoded form
1248      * @throws IOException if a parsing error occurs
1249      */
1250     public void addPathToName(int type, byte [] name) throws IOException {
1251         // clone because byte arrays are modifiable
1252         addPathToNameInternal(type, name.clone());
1253     }
1254 
1255     /**
1256      * A private method that adds a name (String or byte array) to the
1257      * pathToNames criterion. The <code>X509Certificate</code> must contain
1258      * the specified pathToName.
1259      *
1260      * @param type the name type (0-8, as specified in
1261      *             RFC 3280, section 4.2.1.7)
1262      * @param name the name in string or byte array form
1263      * @throws IOException if an encoding error occurs (incorrect form for DN)
1264      */
1265     private void addPathToNameInternal(int type, Object name)
1266             throws IOException {
1267         // First, ensure that the name parses
1268         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
1269         if (pathToGeneralNames == null) {
1270             pathToNames = new HashSet<List<?>>();
1271             pathToGeneralNames = new HashSet<GeneralNameInterface>();
1272         }
1273         List<Object> list = new ArrayList<Object>(2);
1274         list.add(Integer.valueOf(type));
1275         list.add(name);
1276         pathToNames.add(list);
1277         pathToGeneralNames.add(tempName);
1278     }
1279 
1280     /**
1281      * Returns the certificateEquals criterion. The specified
1282      * <code>X509Certificate</code> must be equal to the
1283      * <code>X509Certificate</code> passed to the <code>match</code> method.
1284      * If <code>null</code>, this check is not applied.
1285      *
1286      * @return the <code>X509Certificate</code> to match (or <code>null</code>)
1287      * @see #setCertificate
1288      */
1289     public X509Certificate getCertificate() {
1290         return x509Cert;
1291     }
1292 
1293     /**
1294      * Returns the serialNumber criterion. The specified serial number
1295      * must match the certificate serial number in the
1296      * <code>X509Certificate</code>. If <code>null</code>, any certificate
1297      * serial number will do.
1298      *
1299      * @return the certificate serial number to match
1300      *                (or <code>null</code>)
1301      * @see #setSerialNumber
1302      */
1303     public BigInteger getSerialNumber() {
1304         return serialNumber;
1305     }
1306 
1307     /**
1308      * Returns the issuer criterion as an <code>X500Principal</code>. This
1309      * distinguished name must match the issuer distinguished name in the
1310      * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion
1311      * is disabled and any issuer distinguished name will do.
1312      *
1313      * @return the required issuer distinguished name as X500Principal
1314      *         (or <code>null</code>)
1315      * @since 1.5
1316      */
1317     public X500Principal getIssuer() {
1318         return issuer;
1319     }
1320 
1321     /**
1322      * <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
1323      * {@linkplain #getIssuerAsBytes()} instead. This method should not be
1324      * relied on as it can fail to match some certificates because of a loss of
1325      * encoding information in the RFC 2253 String form of some distinguished
1326      * names.
1327      * <p>
1328      * Returns the issuer criterion as a <code>String</code>. This
1329      * distinguished name must match the issuer distinguished name in the
1330      * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion
1331      * is disabled and any issuer distinguished name will do.
1332      * <p>
1333      * If the value returned is not <code>null</code>, it is a
1334      * distinguished name, in RFC 2253 format.
1335      *
1336      * @return the required issuer distinguished name in RFC 2253 format
1337      *         (or <code>null</code>)
1338      */
1339     public String getIssuerAsString() {
1340         return (issuer == null ? null : issuer.getName());
1341     }
1342 
1343     /**
1344      * Returns the issuer criterion as a byte array. This distinguished name
1345      * must match the issuer distinguished name in the
1346      * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion
1347      * is disabled and any issuer distinguished name will do.
1348      * <p>
1349      * If the value returned is not <code>null</code>, it is a byte
1350      * array containing a single DER encoded distinguished name, as defined in
1351      * X.501. The ASN.1 notation for this structure is supplied in the
1352      * documentation for
1353      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
1354      * <p>
1355      * Note that the byte array returned is cloned to protect against
1356      * subsequent modifications.
1357      *
1358      * @return a byte array containing the required issuer distinguished name
1359      *         in ASN.1 DER format (or <code>null</code>)
1360      * @throws IOException if an encoding error occurs
1361      */
1362     public byte[] getIssuerAsBytes() throws IOException {
1363         return (issuer == null ? null: issuer.getEncoded());
1364     }
1365 
1366     /**
1367      * Returns the subject criterion as an <code>X500Principal</code>. This
1368      * distinguished name must match the subject distinguished name in the
1369      * <code>X509Certificate</code>. If <code>null</code>, the subject criterion
1370      * is disabled and any subject distinguished name will do.
1371      *
1372      * @return the required subject distinguished name as X500Principal
1373      *         (or <code>null</code>)
1374      * @since 1.5
1375      */
1376     public X500Principal getSubject() {
1377         return subject;
1378     }
1379 
1380     /**
1381      * <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
1382      * {@linkplain #getSubjectAsBytes()} instead. This method should not be
1383      * relied on as it can fail to match some certificates because of a loss of
1384      * encoding information in the RFC 2253 String form of some distinguished
1385      * names.
1386      * <p>
1387      * Returns the subject criterion as a <code>String</code>. This
1388      * distinguished name must match the subject distinguished name in the
1389      * <code>X509Certificate</code>. If <code>null</code>, the subject criterion
1390      * is disabled and any subject distinguished name will do.
1391      * <p>
1392      * If the value returned is not <code>null</code>, it is a
1393      * distinguished name, in RFC 2253 format.
1394      *
1395      * @return the required subject distinguished name in RFC 2253 format
1396      *         (or <code>null</code>)
1397      */
1398     public String getSubjectAsString() {
1399         return (subject == null ? null : subject.getName());
1400     }
1401 
1402     /**
1403      * Returns the subject criterion as a byte array. This distinguished name
1404      * must match the subject distinguished name in the
1405      * <code>X509Certificate</code>. If <code>null</code>, the subject criterion
1406      * is disabled and any subject distinguished name will do.
1407      * <p>
1408      * If the value returned is not <code>null</code>, it is a byte
1409      * array containing a single DER encoded distinguished name, as defined in
1410      * X.501. The ASN.1 notation for this structure is supplied in the
1411      * documentation for
1412      * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
1413      * <p>
1414      * Note that the byte array returned is cloned to protect against
1415      * subsequent modifications.
1416      *
1417      * @return a byte array containing the required subject distinguished name
1418      *         in ASN.1 DER format (or <code>null</code>)
1419      * @throws IOException if an encoding error occurs
1420      */
1421     public byte[] getSubjectAsBytes() throws IOException {
1422         return (subject == null ? null : subject.getEncoded());
1423     }
1424 
1425     /**
1426      * Returns the subjectKeyIdentifier criterion. The
1427      * <code>X509Certificate</code> must contain a SubjectKeyIdentifier
1428      * extension with the specified value. If <code>null</code>, no
1429      * subjectKeyIdentifier check will be done.
1430      * <p>
1431      * Note that the byte array returned is cloned to protect against
1432      * subsequent modifications.
1433      *
1434      * @return the key identifier (or <code>null</code>)
1435      * @see #setSubjectKeyIdentifier
1436      */
1437     public byte[] getSubjectKeyIdentifier() {
1438         if (subjectKeyID == null) {
1439             return null;
1440         }
1441         return subjectKeyID.clone();
1442     }
1443 
1444     /**
1445      * Returns the authorityKeyIdentifier criterion. The
1446      * <code>X509Certificate</code> must contain a AuthorityKeyIdentifier
1447      * extension with the specified value. If <code>null</code>, no
1448      * authorityKeyIdentifier check will be done.
1449      * <p>
1450      * Note that the byte array returned is cloned to protect against
1451      * subsequent modifications.
1452      *
1453      * @return the key identifier (or <code>null</code>)
1454      * @see #setAuthorityKeyIdentifier
1455      */
1456     public byte[] getAuthorityKeyIdentifier() {
1457         if (authorityKeyID == null) {
1458           return null;
1459         }
1460         return authorityKeyID.clone();
1461     }
1462 
1463     /**
1464      * Returns the certificateValid criterion. The specified date must fall
1465      * within the certificate validity period for the
1466      * <code>X509Certificate</code>. If <code>null</code>, no certificateValid
1467      * check will be done.
1468      * <p>
1469      * Note that the <code>Date</code> returned is cloned to protect against
1470      * subsequent modifications.
1471      *
1472      * @return the <code>Date</code> to check (or <code>null</code>)
1473      * @see #setCertificateValid
1474      */
1475     public Date getCertificateValid() {
1476         if (certificateValid == null) {
1477             return null;
1478         }
1479         return (Date)certificateValid.clone();
1480     }
1481 
1482     /**
1483      * Returns the privateKeyValid criterion. The specified date must fall
1484      * within the private key validity period for the
1485      * <code>X509Certificate</code>. If <code>null</code>, no privateKeyValid
1486      * check will be done.
1487      * <p>
1488      * Note that the <code>Date</code> returned is cloned to protect against
1489      * subsequent modifications.
1490      *
1491      * @return the <code>Date</code> to check (or <code>null</code>)
1492      * @see #setPrivateKeyValid
1493      */
1494     public Date getPrivateKeyValid() {
1495         if (privateKeyValid == null) {
1496             return null;
1497         }
1498         return (Date)privateKeyValid.clone();
1499     }
1500 
1501     /**
1502      * Returns the subjectPublicKeyAlgID criterion. The
1503      * <code>X509Certificate</code> must contain a subject public key
1504      * with the specified algorithm. If <code>null</code>, no
1505      * subjectPublicKeyAlgID check will be done.
1506      *
1507      * @return the object identifier (OID) of the signature algorithm to check
1508      *         for (or <code>null</code>). An OID is represented by a set of
1509      *         nonnegative integers separated by periods.
1510      * @see #setSubjectPublicKeyAlgID
1511      */
1512     public String getSubjectPublicKeyAlgID() {
1513         if (subjectPublicKeyAlgID == null) {
1514             return null;
1515         }
1516         return subjectPublicKeyAlgID.toString();
1517     }
1518 
1519     /**
1520      * Returns the subjectPublicKey criterion. The
1521      * <code>X509Certificate</code> must contain the specified subject
1522      * public key. If <code>null</code>, no subjectPublicKey check will be done.
1523      *
1524      * @return the subject public key to check for (or <code>null</code>)
1525      * @see #setSubjectPublicKey
1526      */
1527     public PublicKey getSubjectPublicKey() {
1528         return subjectPublicKey;
1529     }
1530 
1531     /**
1532      * Returns the keyUsage criterion. The <code>X509Certificate</code>
1533      * must allow the specified keyUsage values. If null, no keyUsage
1534      * check will be done.
1535      * <p>
1536      * Note that the boolean array returned is cloned to protect against
1537      * subsequent modifications.
1538      *
1539      * @return a boolean array in the same format as the boolean
1540      *                 array returned by
1541      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
1542      *                 Or <code>null</code>.
1543      * @see #setKeyUsage
1544      */
1545     public boolean[] getKeyUsage() {
1546         if (keyUsage == null) {
1547             return null;
1548         }
1549         return keyUsage.clone();
1550     }
1551 
1552     /**
1553      * Returns the extendedKeyUsage criterion. The <code>X509Certificate</code>
1554      * must allow the specified key purposes in its extended key usage
1555      * extension. If the <code>keyPurposeSet</code> returned is empty or
1556      * <code>null</code>, no extendedKeyUsage check will be done. Note that an
1557      * <code>X509Certificate</code> that has no extendedKeyUsage extension
1558      * implicitly allows all key purposes.
1559      *
1560      * @return an immutable <code>Set</code> of key purpose OIDs in string
1561      * format (or <code>null</code>)
1562      * @see #setExtendedKeyUsage
1563      */
1564     public Set<String> getExtendedKeyUsage() {
1565         return keyPurposeSet;
1566     }
1567 
1568     /**
1569      * Indicates if the <code>X509Certificate</code> must contain all
1570      * or at least one of the subjectAlternativeNames
1571      * specified in the {@link #setSubjectAlternativeNames
1572      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
1573      * addSubjectAlternativeName} methods. If <code>true</code>,
1574      * the <code>X509Certificate</code> must contain all of the
1575      * specified subject alternative names. If <code>false</code>, the
1576      * <code>X509Certificate</code> must contain at least one of the
1577      * specified subject alternative names.
1578      *
1579      * @return <code>true</code> if the flag is enabled;
1580      * <code>false</code> if the flag is disabled. The flag is
1581      * <code>true</code> by default.
1582      * @see #setMatchAllSubjectAltNames
1583      */
1584     public boolean getMatchAllSubjectAltNames() {
1585         return matchAllSubjectAltNames;
1586     }
1587 
1588     /**
1589      * Returns a copy of the subjectAlternativeNames criterion.
1590      * The <code>X509Certificate</code> must contain all or at least one
1591      * of the specified subjectAlternativeNames, depending on the value
1592      * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames
1593      * getMatchAllSubjectAltNames}). If the value returned is
1594      * <code>null</code>, no subjectAlternativeNames check will be performed.
1595      * <p>
1596      * If the value returned is not <code>null</code>, it is a
1597      * <code>Collection</code> with
1598      * one entry for each name to be included in the subject alternative name
1599      * criterion. Each entry is a <code>List</code> whose first entry is an
1600      * <code>Integer</code> (the name type, 0-8) and whose second
1601      * entry is a <code>String</code> or a byte array (the name, in
1602      * string or ASN.1 DER encoded form, respectively).
1603      * There can be multiple names of the same type.  Note that the
1604      * <code>Collection</code> returned may contain duplicate names (same name
1605      * and name type).
1606      * <p>
1607      * Each subject alternative name in the <code>Collection</code>
1608      * may be specified either as a <code>String</code> or as an ASN.1 encoded
1609      * byte array. For more details about the formats used, see
1610      * {@link #addSubjectAlternativeName(int type, String name)
1611      * addSubjectAlternativeName(int type, String name)} and
1612      * {@link #addSubjectAlternativeName(int type, byte [] name)
1613      * addSubjectAlternativeName(int type, byte [] name)}.
1614      * <p>
1615      * Note that a deep copy is performed on the <code>Collection</code> to
1616      * protect against subsequent modifications.
1617      *
1618      * @return a <code>Collection</code> of names (or <code>null</code>)
1619      * @see #setSubjectAlternativeNames
1620      */
1621     public Collection<List<?>> getSubjectAlternativeNames() {
1622         if (subjectAlternativeNames == null) {
1623             return null;
1624         }
1625         return cloneNames(subjectAlternativeNames);
1626     }
1627 
1628     /**
1629      * Clone an object of the form passed to
1630      * setSubjectAlternativeNames and setPathToNames.
1631      * Throw a <code>RuntimeException</code> if the argument is malformed.
1632      * <p>
1633      * This method wraps cloneAndCheckNames, changing any
1634      * <code>IOException</code> into a <code>RuntimeException</code>. This
1635      * method should be used when the object being
1636      * cloned has already been checked, so there should never be any exceptions.
1637      *
1638      * @param names a <code>Collection</code> with one entry per name.
1639      *              Each entry is a <code>List</code> whose first entry
1640      *              is an Integer (the name type, 0-8) and whose second
1641      *              entry is a String or a byte array (the name, in
1642      *              string or ASN.1 DER encoded form, respectively).
1643      *              There can be multiple names of the same type. Null
1644      *              is not an acceptable value.
1645      * @return a deep copy of the specified <code>Collection</code>
1646      * @throws RuntimeException if a parsing error occurs
1647      */
1648     private static Set<List<?>> cloneNames(Collection<List<?>> names) {
1649         try {
1650             return cloneAndCheckNames(names);
1651         } catch (IOException e) {
1652             throw new RuntimeException("cloneNames encountered IOException: " +
1653                                        e.getMessage());
1654         }
1655     }
1656 
1657     /**
1658      * Clone and check an argument of the form passed to
1659      * setSubjectAlternativeNames and setPathToNames.
1660      * Throw an <code>IOException</code> if the argument is malformed.
1661      *
1662      * @param names a <code>Collection</code> with one entry per name.
1663      *              Each entry is a <code>List</code> whose first entry
1664      *              is an Integer (the name type, 0-8) and whose second
1665      *              entry is a String or a byte array (the name, in
1666      *              string or ASN.1 DER encoded form, respectively).
1667      *              There can be multiple names of the same type.
1668      *              <code>null</code> is not an acceptable value.
1669      * @return a deep copy of the specified <code>Collection</code>
1670      * @throws IOException if a parsing error occurs
1671      */
1672     private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException {
1673         // Copy the Lists and Collection
1674         Set<List<?>> namesCopy = new HashSet<List<?>>();
1675         for (List<?> o : names)
1676         {
1677             namesCopy.add(new ArrayList<Object>(o));
1678         }
1679 
1680         // Check the contents of the Lists and clone any byte arrays
1681         for (List<?> list : namesCopy) {
1682             @SuppressWarnings("unchecked") // See javadoc for parameter "names".
1683             List<Object> nameList = (List<Object>)list;
1684             if (nameList.size() != 2) {
1685                 throw new IOException("name list size not 2");
1686             }
1687             Object o = nameList.get(0);
1688             if (!(o instanceof Integer)) {
1689                 throw new IOException("expected an Integer");


1692             if ((nameType < 0) || (nameType > 8)) {
1693                 throw new IOException("name type not 0-8");
1694             }
1695             Object nameObject = nameList.get(1);
1696             if (!(nameObject instanceof byte[]) &&
1697                 !(nameObject instanceof String)) {
1698                 if (debug != null) {
1699                     debug.println("X509CertSelector.cloneAndCheckNames() "
1700                         + "name not byte array");
1701                 }
1702                 throw new IOException("name not byte array or String");
1703             }
1704             if (nameObject instanceof byte[]) {
1705                 nameList.set(1, ((byte[]) nameObject).clone());
1706             }
1707         }
1708         return namesCopy;
1709     }
1710 
1711     /**
1712      * Returns the name constraints criterion. The <code>X509Certificate</code>
1713      * must have subject and subject alternative names that
1714      * meet the specified name constraints.
1715      * <p>
1716      * The name constraints are returned as a byte array. This byte array
1717      * contains the DER encoded form of the name constraints, as they
1718      * would appear in the NameConstraints structure defined in RFC 3280
1719      * and X.509. The ASN.1 notation for this structure is supplied in the
1720      * documentation for
1721      * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}.
1722      * <p>
1723      * Note that the byte array returned is cloned to protect against
1724      * subsequent modifications.
1725      *
1726      * @return a byte array containing the ASN.1 DER encoding of
1727      *         a NameConstraints extension used for checking name constraints.
1728      *         <code>null</code> if no name constraints check will be performed.
1729      * @see #setNameConstraints
1730      */
1731     public byte[] getNameConstraints() {
1732         if (ncBytes == null) {
1733             return null;
1734         } else {
1735             return ncBytes.clone();
1736         }
1737     }
1738 
1739     /**
1740      * Returns the basic constraints constraint. If the value is greater than
1741      * or equal to zero, the <code>X509Certificates</code> must include a
1742      * basicConstraints extension with a pathLen of at least this value.
1743      * If the value is -2, only end-entity certificates are accepted. If
1744      * the value is -1, no basicConstraints check is done.
1745      *
1746      * @return the value for the basic constraints constraint
1747      * @see #setBasicConstraints
1748      */
1749     public int getBasicConstraints() {
1750         return basicConstraints;
1751     }
1752 
1753     /**
1754      * Returns the policy criterion. The <code>X509Certificate</code> must
1755      * include at least one of the specified policies in its certificate policies
1756      * extension. If the <code>Set</code> returned is empty, then the
1757      * <code>X509Certificate</code> must include at least some specified policy
1758      * in its certificate policies extension. If the <code>Set</code> returned is
1759      * <code>null</code>, no policy check will be performed.
1760      *
1761      * @return an immutable <code>Set</code> of certificate policy OIDs in
1762      *         string format (or <code>null</code>)
1763      * @see #setPolicy
1764      */
1765     public Set<String> getPolicy() {
1766         return policySet;
1767     }
1768 
1769     /**
1770      * Returns a copy of the pathToNames criterion. The
1771      * <code>X509Certificate</code> must not include name constraints that would
1772      * prohibit building a path to the specified names. If the value
1773      * returned is <code>null</code>, no pathToNames check will be performed.
1774      * <p>
1775      * If the value returned is not <code>null</code>, it is a
1776      * <code>Collection</code> with one
1777      * entry for each name to be included in the pathToNames
1778      * criterion. Each entry is a <code>List</code> whose first entry is an
1779      * <code>Integer</code> (the name type, 0-8) and whose second
1780      * entry is a <code>String</code> or a byte array (the name, in
1781      * string or ASN.1 DER encoded form, respectively).
1782      * There can be multiple names of the same type. Note that the
1783      * <code>Collection</code> returned may contain duplicate names (same
1784      * name and name type).
1785      * <p>
1786      * Each name in the <code>Collection</code>
1787      * may be specified either as a <code>String</code> or as an ASN.1 encoded
1788      * byte array. For more details about the formats used, see
1789      * {@link #addPathToName(int type, String name)
1790      * addPathToName(int type, String name)} and
1791      * {@link #addPathToName(int type, byte [] name)
1792      * addPathToName(int type, byte [] name)}.
1793      * <p>
1794      * Note that a deep copy is performed on the <code>Collection</code> to
1795      * protect against subsequent modifications.
1796      *
1797      * @return a <code>Collection</code> of names (or <code>null</code>)
1798      * @see #setPathToNames
1799      */
1800     public Collection<List<?>> getPathToNames() {
1801         if (pathToNames == null) {
1802             return null;
1803         }
1804         return cloneNames(pathToNames);
1805     }
1806 
1807     /**
1808      * Return a printable representation of the <code>CertSelector</code>.
1809      *
1810      * @return a <code>String</code> describing the contents of the
1811      *         <code>CertSelector</code>
1812      */
1813     public String toString() {
1814         StringBuffer sb = new StringBuffer();
1815         sb.append("X509CertSelector: [\n");
1816         if (x509Cert != null) {
1817             sb.append("  Certificate: " + x509Cert.toString() + "\n");
1818         }
1819         if (serialNumber != null) {
1820             sb.append("  Serial Number: " + serialNumber.toString() + "\n");
1821         }
1822         if (issuer != null) {
1823             sb.append("  Issuer: " + getIssuerAsString() + "\n");
1824         }
1825         if (subject != null) {
1826             sb.append("  Subject: " + getSubjectAsString() + "\n");
1827         }
1828         sb.append("  matchAllSubjectAltNames flag: "
1829                   + String.valueOf(matchAllSubjectAltNames) + "\n");
1830         if (subjectAlternativeNames != null) {
1831             sb.append("  SubjectAlternativeNames:\n");


1910                 s += "  Key_CertSign\n";
1911             }
1912             if (k[6]) {
1913                 s += "  Crl_Sign\n";
1914             }
1915             if (k[7]) {
1916                 s += "  Encipher_Only\n";
1917             }
1918             if (k[8]) {
1919                 s += "  Decipher_Only\n";
1920             }
1921         } catch (ArrayIndexOutOfBoundsException ex) {}
1922 
1923         s += "]\n";
1924 
1925         return (s);
1926     }
1927 
1928     /**
1929      * Returns an Extension object given any X509Certificate and extension oid.
1930      * Throw an <code>IOException</code> if the extension byte value is
1931      * malformed.
1932      *
1933      * @param cert a <code>X509Certificate</code>
1934      * @param extId an <code>integer</code> which specifies the extension index.
1935      * Currently, the supported extensions are as follows:
1936      * index 0 - PrivateKeyUsageExtension
1937      * index 1 - SubjectAlternativeNameExtension
1938      * index 2 - NameConstraintsExtension
1939      * index 3 - CertificatePoliciesExtension
1940      * index 4 - ExtendedKeyUsageExtension
1941      * @return an <code>Extension</code> object whose real type is as specified
1942      * by the extension oid.
1943      * @throws IOException if cannot construct the <code>Extension</code>
1944      * object with the extension encoding retrieved from the passed in
1945      * <code>X509Certificate</code>.
1946      */
1947     private static Extension getExtensionObject(X509Certificate cert, int extId)
1948             throws IOException {
1949         if (cert instanceof X509CertImpl) {
1950             X509CertImpl impl = (X509CertImpl)cert;
1951             switch (extId) {
1952             case PRIVATE_KEY_USAGE_ID:
1953                 return impl.getPrivateKeyUsageExtension();
1954             case SUBJECT_ALT_NAME_ID:
1955                 return impl.getSubjectAlternativeNameExtension();
1956             case NAME_CONSTRAINTS_ID:
1957                 return impl.getNameConstraintsExtension();
1958             case CERT_POLICIES_ID:
1959                 return impl.getCertificatePoliciesExtension();
1960             case EXTENDED_KEY_USAGE_ID:
1961                 return impl.getExtendedKeyUsageExtension();
1962             default:
1963                 return null;
1964             }
1965         }


1973         case PRIVATE_KEY_USAGE_ID:
1974             try {
1975                 return new PrivateKeyUsageExtension(FALSE, encoded);
1976             } catch (CertificateException ex) {
1977                 throw new IOException(ex.getMessage());
1978             }
1979         case SUBJECT_ALT_NAME_ID:
1980             return new SubjectAlternativeNameExtension(FALSE, encoded);
1981         case NAME_CONSTRAINTS_ID:
1982             return new NameConstraintsExtension(FALSE, encoded);
1983         case CERT_POLICIES_ID:
1984             return new CertificatePoliciesExtension(FALSE, encoded);
1985         case EXTENDED_KEY_USAGE_ID:
1986             return new ExtendedKeyUsageExtension(FALSE, encoded);
1987         default:
1988             return null;
1989         }
1990     }
1991 
1992     /**
1993      * Decides whether a <code>Certificate</code> should be selected.
1994      *
1995      * @param cert the <code>Certificate</code> to be checked
1996      * @return <code>true</code> if the <code>Certificate</code> should be
1997      *         selected, <code>false</code> otherwise
1998      */
1999     public boolean match(Certificate cert) {
2000         if (!(cert instanceof X509Certificate)) {
2001             return false;
2002         }
2003         X509Certificate xcert = (X509Certificate)cert;
2004 
2005         if (debug != null) {
2006             debug.println("X509CertSelector.match(SN: "
2007                 + (xcert.getSerialNumber()).toString(16) + "\n  Issuer: "
2008                 + xcert.getIssuerDN() + "\n  Subject: " + xcert.getSubjectDN()
2009                 + ")");
2010         }
2011 
2012         /* match on X509Certificate */
2013         if (x509Cert != null) {
2014             if (!x509Cert.equals(xcert)) {
2015                 if (debug != null) {
2016                     debug.println("X509CertSelector.match: "
2017                         + "certs don't match");




  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.io.IOException;
  29 import java.math.BigInteger;
  30 import java.security.PublicKey;
  31 import java.util.*;
  32 import javax.security.auth.x500.X500Principal;
  33 
  34 import sun.misc.HexDumpEncoder;
  35 import sun.security.util.Debug;
  36 import sun.security.util.DerInputStream;
  37 import sun.security.util.DerValue;
  38 import sun.security.util.ObjectIdentifier;
  39 import sun.security.x509.*;
  40 
  41 /**
  42  * A {@code CertSelector} that selects {@code X509Certificates} that
  43  * match all specified criteria. This class is particularly useful when
  44  * selecting certificates from a {@code CertStore} to build a
  45  * PKIX-compliant certification path.
  46  * <p>
  47  * When first constructed, an {@code X509CertSelector} has no criteria
  48  * enabled and each of the {@code get} methods return a default value
  49  * ({@code null}, or {@code -1} for the {@link #getBasicConstraints
  50  * getBasicConstraints} method). Therefore, the {@link #match match}
  51  * method would return {@code true} for any {@code X509Certificate}.
  52  * Typically, several criteria are enabled (by calling
  53  * {@link #setIssuer setIssuer} or
  54  * {@link #setKeyUsage setKeyUsage}, for instance) and then the
  55  * {@code X509CertSelector} is passed to
  56  * {@link CertStore#getCertificates CertStore.getCertificates} or some similar
  57  * method.
  58  * <p>
  59  * Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
  60  * and {@link #setSerialNumber setSerialNumber},
  61  * for example) such that the {@code match} method
  62  * usually uniquely matches a single {@code X509Certificate}. We say
  63  * usually, since it is possible for two issuing CAs to have the same
  64  * distinguished name and each issue a certificate with the same serial
  65  * number. Other unique combinations include the issuer, subject,
  66  * subjectKeyIdentifier and/or the subjectPublicKey criteria.
  67  * <p>
  68  * Please refer to <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280:
  69  * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for
  70  * definitions of the X.509 certificate extensions mentioned below.
  71  * <p>
  72  * <b>Concurrent Access</b>
  73  * <p>
  74  * Unless otherwise specified, the methods defined in this class are not
  75  * thread-safe. Multiple threads that need to access a single
  76  * object concurrently should synchronize amongst themselves and
  77  * provide the necessary locking. Multiple threads each manipulating
  78  * separate objects need not synchronize.
  79  *
  80  * @see CertSelector
  81  * @see X509Certificate
  82  *


 132     static {
 133         EXTENSION_OIDS[PRIVATE_KEY_USAGE_ID]  = "2.5.29.16";
 134         EXTENSION_OIDS[SUBJECT_ALT_NAME_ID]   = "2.5.29.17";
 135         EXTENSION_OIDS[NAME_CONSTRAINTS_ID]   = "2.5.29.30";
 136         EXTENSION_OIDS[CERT_POLICIES_ID]      = "2.5.29.32";
 137         EXTENSION_OIDS[EXTENDED_KEY_USAGE_ID] = "2.5.29.37";
 138     };
 139 
 140     /* Constants representing the GeneralName types */
 141     static final int NAME_ANY = 0;
 142     static final int NAME_RFC822 = 1;
 143     static final int NAME_DNS = 2;
 144     static final int NAME_X400 = 3;
 145     static final int NAME_DIRECTORY = 4;
 146     static final int NAME_EDI = 5;
 147     static final int NAME_URI = 6;
 148     static final int NAME_IP = 7;
 149     static final int NAME_OID = 8;
 150 
 151     /**
 152      * Creates an {@code X509CertSelector}. Initially, no criteria are set
 153      * so any {@code X509Certificate} will match.
 154      */
 155     public X509CertSelector() {
 156         // empty
 157     }
 158 
 159     /**
 160      * Sets the certificateEquals criterion. The specified
 161      * {@code X509Certificate} must be equal to the
 162      * {@code X509Certificate} passed to the {@code match} method.
 163      * If {@code null}, then this check is not applied.
 164      *
 165      * <p>This method is particularly useful when it is necessary to
 166      * match a single certificate. Although other criteria can be specified
 167      * in conjunction with the certificateEquals criterion, it is usually not
 168      * practical or necessary.
 169      *
 170      * @param cert the {@code X509Certificate} to match (or
 171      * {@code null})
 172      * @see #getCertificate
 173      */
 174     public void setCertificate(X509Certificate cert) {
 175         x509Cert = cert;
 176     }
 177 
 178     /**
 179      * Sets the serialNumber criterion. The specified serial number
 180      * must match the certificate serial number in the
 181      * {@code X509Certificate}. If {@code null}, any certificate
 182      * serial number will do.
 183      *
 184      * @param serial the certificate serial number to match
 185      *        (or {@code null})
 186      * @see #getSerialNumber
 187      */
 188     public void setSerialNumber(BigInteger serial) {
 189         serialNumber = serial;
 190     }
 191 
 192     /**
 193      * Sets the issuer criterion. The specified distinguished name
 194      * must match the issuer distinguished name in the
 195      * {@code X509Certificate}. If {@code null}, any issuer
 196      * distinguished name will do.
 197      *
 198      * @param issuer a distinguished name as X500Principal
 199      *                 (or {@code null})
 200      * @since 1.5
 201      */
 202     public void setIssuer(X500Principal issuer) {
 203         this.issuer = issuer;
 204     }
 205 
 206     /**
 207      * <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
 208      * or {@linkplain #setIssuer(byte[])} instead. This method should not be
 209      * relied on as it can fail to match some certificates because of a loss of
 210      * encoding information in the
 211      * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
 212      * of some distinguished names.
 213      * <p>
 214      * Sets the issuer criterion. The specified distinguished name
 215      * must match the issuer distinguished name in the
 216      * {@code X509Certificate}. If {@code null}, any issuer
 217      * distinguished name will do.
 218      * <p>
 219      * If {@code issuerDN} is not {@code null}, it should contain a
 220      * distinguished name, in RFC 2253 format.
 221      *
 222      * @param issuerDN a distinguished name in RFC 2253 format
 223      *                 (or {@code null})
 224      * @throws IOException if a parsing error occurs (incorrect form for DN)
 225      */
 226     public void setIssuer(String issuerDN) throws IOException {
 227         if (issuerDN == null) {
 228             issuer = null;
 229         } else {
 230             issuer = new X500Name(issuerDN).asX500Principal();
 231         }
 232     }
 233 
 234     /**
 235      * Sets the issuer criterion. The specified distinguished name
 236      * must match the issuer distinguished name in the
 237      * {@code X509Certificate}. If {@code null} is specified,
 238      * the issuer criterion is disabled and any issuer distinguished name will
 239      * do.
 240      * <p>
 241      * If {@code issuerDN} is not {@code null}, it should contain a
 242      * single DER encoded distinguished name, as defined in X.501. The ASN.1
 243      * notation for this structure is as follows.
 244      * <pre>{@code
 245      * Name ::= CHOICE {
 246      *   RDNSequence }
 247      *
 248      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 249      *
 250      * RelativeDistinguishedName ::=
 251      *   SET SIZE (1 .. MAX) OF AttributeTypeAndValue
 252      *
 253      * AttributeTypeAndValue ::= SEQUENCE {
 254      *   type     AttributeType,
 255      *   value    AttributeValue }
 256      *
 257      * AttributeType ::= OBJECT IDENTIFIER
 258      *
 259      * AttributeValue ::= ANY DEFINED BY AttributeType
 260      * ....
 261      * DirectoryString ::= CHOICE {
 262      *       teletexString           TeletexString (SIZE (1..MAX)),
 263      *       printableString         PrintableString (SIZE (1..MAX)),
 264      *       universalString         UniversalString (SIZE (1..MAX)),
 265      *       utf8String              UTF8String (SIZE (1.. MAX)),
 266      *       bmpString               BMPString (SIZE (1..MAX)) }
 267      * }</pre>
 268      * <p>
 269      * Note that the byte array specified here is cloned to protect against
 270      * subsequent modifications.
 271      *
 272      * @param issuerDN a byte array containing the distinguished name
 273      *                 in ASN.1 DER encoded form (or {@code null})
 274      * @throws IOException if an encoding error occurs (incorrect form for DN)
 275      */
 276     public void setIssuer(byte[] issuerDN) throws IOException {
 277         try {
 278             issuer = (issuerDN == null ? null : new X500Principal(issuerDN));
 279         } catch (IllegalArgumentException e) {
 280             throw new IOException("Invalid name", e);
 281         }
 282     }
 283 
 284     /**
 285      * Sets the subject criterion. The specified distinguished name
 286      * must match the subject distinguished name in the
 287      * {@code X509Certificate}. If {@code null}, any subject
 288      * distinguished name will do.
 289      *
 290      * @param subject a distinguished name as X500Principal
 291      *                  (or {@code null})
 292      * @since 1.5
 293      */
 294     public void setSubject(X500Principal subject) {
 295         this.subject = subject;
 296     }
 297 
 298     /**
 299      * <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
 300      * or {@linkplain #setSubject(byte[])} instead. This method should not be
 301      * relied on as it can fail to match some certificates because of a loss of
 302      * encoding information in the RFC 2253 String form of some distinguished
 303      * names.
 304      * <p>
 305      * Sets the subject criterion. The specified distinguished name
 306      * must match the subject distinguished name in the
 307      * {@code X509Certificate}. If {@code null}, any subject
 308      * distinguished name will do.
 309      * <p>
 310      * If {@code subjectDN} is not {@code null}, it should contain a
 311      * distinguished name, in RFC 2253 format.
 312      *
 313      * @param subjectDN a distinguished name in RFC 2253 format
 314      *                  (or {@code null})
 315      * @throws IOException if a parsing error occurs (incorrect form for DN)
 316      */
 317     public void setSubject(String subjectDN) throws IOException {
 318         if (subjectDN == null) {
 319             subject = null;
 320         } else {
 321             subject = new X500Name(subjectDN).asX500Principal();
 322         }
 323     }
 324 
 325     /**
 326      * Sets the subject criterion. The specified distinguished name
 327      * must match the subject distinguished name in the
 328      * {@code X509Certificate}. If {@code null}, any subject
 329      * distinguished name will do.
 330      * <p>
 331      * If {@code subjectDN} is not {@code null}, it should contain a
 332      * single DER encoded distinguished name, as defined in X.501. For the ASN.1
 333      * notation for this structure, see
 334      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
 335      *
 336      * @param subjectDN a byte array containing the distinguished name in
 337      *                  ASN.1 DER format (or {@code null})
 338      * @throws IOException if an encoding error occurs (incorrect form for DN)
 339      */
 340     public void setSubject(byte[] subjectDN) throws IOException {
 341         try {
 342             subject = (subjectDN == null ? null : new X500Principal(subjectDN));
 343         } catch (IllegalArgumentException e) {
 344             throw new IOException("Invalid name", e);
 345         }
 346     }
 347 
 348     /**
 349      * Sets the subjectKeyIdentifier criterion. The
 350      * {@code X509Certificate} must contain a SubjectKeyIdentifier
 351      * extension for which the contents of the extension
 352      * matches the specified criterion value.
 353      * If the criterion value is {@code null}, no
 354      * subjectKeyIdentifier check will be done.
 355      * <p>
 356      * If {@code subjectKeyID} is not {@code null}, it
 357      * should contain a single DER encoded value corresponding to the contents
 358      * of the extension value (not including the object identifier,
 359      * criticality setting, and encapsulating OCTET STRING)
 360      * for a SubjectKeyIdentifier extension.
 361      * The ASN.1 notation for this structure follows.
 362      * <p>
 363      * <pre>{@code
 364      * SubjectKeyIdentifier ::= KeyIdentifier
 365      *
 366      * KeyIdentifier ::= OCTET STRING
 367      * }</pre>
 368      * <p>
 369      * Since the format of subject key identifiers is not mandated by
 370      * any standard, subject key identifiers are not parsed by the
 371      * {@code X509CertSelector}. Instead, the values are compared using
 372      * a byte-by-byte comparison.
 373      * <p>
 374      * Note that the byte array supplied here is cloned to protect against
 375      * subsequent modifications.
 376      *
 377      * @param subjectKeyID the subject key identifier (or {@code null})
 378      * @see #getSubjectKeyIdentifier
 379      */
 380     public void setSubjectKeyIdentifier(byte[] subjectKeyID) {
 381         if (subjectKeyID == null) {
 382             this.subjectKeyID = null;
 383         } else {
 384             this.subjectKeyID = subjectKeyID.clone();
 385         }
 386     }
 387 
 388     /**
 389      * Sets the authorityKeyIdentifier criterion. The
 390      * {@code X509Certificate} must contain an
 391      * AuthorityKeyIdentifier extension for which the contents of the
 392      * extension value matches the specified criterion value.
 393      * If the criterion value is {@code null}, no
 394      * authorityKeyIdentifier check will be done.
 395      * <p>
 396      * If {@code authorityKeyID} is not {@code null}, it
 397      * should contain a single DER encoded value corresponding to the contents
 398      * of the extension value (not including the object identifier,
 399      * criticality setting, and encapsulating OCTET STRING)
 400      * for an AuthorityKeyIdentifier extension.
 401      * The ASN.1 notation for this structure follows.
 402      * <p>
 403      * <pre>{@code
 404      * AuthorityKeyIdentifier ::= SEQUENCE {
 405      *    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
 406      *    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
 407      *    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
 408      *
 409      * KeyIdentifier ::= OCTET STRING
 410      * }</pre>
 411      * <p>
 412      * Authority key identifiers are not parsed by the
 413      * {@code X509CertSelector}.  Instead, the values are
 414      * compared using a byte-by-byte comparison.
 415      * <p>
 416      * When the {@code keyIdentifier} field of
 417      * {@code AuthorityKeyIdentifier} is populated, the value is
 418      * usually taken from the {@code SubjectKeyIdentifier} extension
 419      * in the issuer's certificate.  Note, however, that the result of
 420      * {@code X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object
 421      * Identifier>)} on the issuer's certificate may NOT be used
 422      * directly as the input to {@code setAuthorityKeyIdentifier}.
 423      * This is because the SubjectKeyIdentifier contains
 424      * only a KeyIdentifier OCTET STRING, and not a SEQUENCE of
 425      * KeyIdentifier, GeneralNames, and CertificateSerialNumber.
 426      * In order to use the extension value of the issuer certificate's
 427      * {@code SubjectKeyIdentifier}
 428      * extension, it will be necessary to extract the value of the embedded
 429      * {@code KeyIdentifier} OCTET STRING, then DER encode this OCTET
 430      * STRING inside a SEQUENCE.
 431      * For more details on SubjectKeyIdentifier, see
 432      * {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}.
 433      * <p>
 434      * Note also that the byte array supplied here is cloned to protect against
 435      * subsequent modifications.
 436      *
 437      * @param authorityKeyID the authority key identifier
 438      *        (or {@code null})
 439      * @see #getAuthorityKeyIdentifier
 440      */
 441     public void setAuthorityKeyIdentifier(byte[] authorityKeyID) {
 442         if (authorityKeyID == null) {
 443             this.authorityKeyID = null;
 444         } else {
 445             this.authorityKeyID = authorityKeyID.clone();
 446         }
 447     }
 448 
 449     /**
 450      * Sets the certificateValid criterion. The specified date must fall
 451      * within the certificate validity period for the
 452      * {@code X509Certificate}. If {@code null}, no certificateValid
 453      * check will be done.
 454      * <p>
 455      * Note that the {@code Date} supplied here is cloned to protect
 456      * against subsequent modifications.
 457      *
 458      * @param certValid the {@code Date} to check (or {@code null})
 459      * @see #getCertificateValid
 460      */
 461     public void setCertificateValid(Date certValid) {
 462         if (certValid == null) {
 463             certificateValid = null;
 464         } else {
 465             certificateValid = (Date)certValid.clone();
 466         }
 467     }
 468 
 469     /**
 470      * Sets the privateKeyValid criterion. The specified date must fall
 471      * within the private key validity period for the
 472      * {@code X509Certificate}. If {@code null}, no privateKeyValid
 473      * check will be done.
 474      * <p>
 475      * Note that the {@code Date} supplied here is cloned to protect
 476      * against subsequent modifications.
 477      *
 478      * @param privateKeyValid the {@code Date} to check (or
 479      *                        {@code null})
 480      * @see #getPrivateKeyValid
 481      */
 482     public void setPrivateKeyValid(Date privateKeyValid) {
 483         if (privateKeyValid == null) {
 484             this.privateKeyValid = null;
 485         } else {
 486             this.privateKeyValid = (Date)privateKeyValid.clone();
 487         }
 488     }
 489 
 490     /**
 491      * Sets the subjectPublicKeyAlgID criterion. The
 492      * {@code X509Certificate} must contain a subject public key
 493      * with the specified algorithm. If {@code null}, no
 494      * subjectPublicKeyAlgID check will be done.
 495      *
 496      * @param oid The object identifier (OID) of the algorithm to check
 497      *            for (or {@code null}). An OID is represented by a
 498      *            set of nonnegative integers separated by periods.
 499      * @throws IOException if the OID is invalid, such as
 500      * the first component being not 0, 1 or 2 or the second component
 501      * being greater than 39.
 502      *
 503      * @see #getSubjectPublicKeyAlgID
 504      */
 505     public void setSubjectPublicKeyAlgID(String oid) throws IOException {
 506         if (oid == null) {
 507             subjectPublicKeyAlgID = null;
 508         } else {
 509             subjectPublicKeyAlgID = new ObjectIdentifier(oid);
 510         }
 511     }
 512 
 513     /**
 514      * Sets the subjectPublicKey criterion. The
 515      * {@code X509Certificate} must contain the specified subject public
 516      * key. If {@code null}, no subjectPublicKey check will be done.
 517      *
 518      * @param key the subject public key to check for (or {@code null})
 519      * @see #getSubjectPublicKey
 520      */
 521     public void setSubjectPublicKey(PublicKey key) {
 522         if (key == null) {
 523             subjectPublicKey = null;
 524             subjectPublicKeyBytes = null;
 525         } else {
 526             subjectPublicKey = key;
 527             subjectPublicKeyBytes = key.getEncoded();
 528         }
 529     }
 530 
 531     /**
 532      * Sets the subjectPublicKey criterion. The {@code X509Certificate}
 533      * must contain the specified subject public key. If {@code null},
 534      * no subjectPublicKey check will be done.
 535      * <p>
 536      * Because this method allows the public key to be specified as a byte
 537      * array, it may be used for unknown key types.
 538      * <p>
 539      * If {@code key} is not {@code null}, it should contain a
 540      * single DER encoded SubjectPublicKeyInfo structure, as defined in X.509.
 541      * The ASN.1 notation for this structure is as follows.
 542      * <pre>{@code
 543      * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 544      *   algorithm            AlgorithmIdentifier,
 545      *   subjectPublicKey     BIT STRING  }
 546      *
 547      * AlgorithmIdentifier  ::=  SEQUENCE  {
 548      *   algorithm               OBJECT IDENTIFIER,
 549      *   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 550      *                              -- contains a value of the type
 551      *                              -- registered for use with the
 552      *                              -- algorithm object identifier value
 553      * }</pre>
 554      * <p>
 555      * Note that the byte array supplied here is cloned to protect against
 556      * subsequent modifications.
 557      *
 558      * @param key a byte array containing the subject public key in ASN.1 DER
 559      *            form (or {@code null})
 560      * @throws IOException if an encoding error occurs (incorrect form for
 561      * subject public key)
 562      * @see #getSubjectPublicKey
 563      */
 564     public void setSubjectPublicKey(byte[] key) throws IOException {
 565         if (key == null) {
 566             subjectPublicKey = null;
 567             subjectPublicKeyBytes = null;
 568         } else {
 569             subjectPublicKeyBytes = key.clone();
 570             subjectPublicKey = X509Key.parse(new DerValue(subjectPublicKeyBytes));
 571         }
 572     }
 573 
 574     /**
 575      * Sets the keyUsage criterion. The {@code X509Certificate}
 576      * must allow the specified keyUsage values. If {@code null}, no
 577      * keyUsage check will be done. Note that an {@code X509Certificate}
 578      * that has no keyUsage extension implicitly allows all keyUsage values.
 579      * <p>
 580      * Note that the boolean array supplied here is cloned to protect against
 581      * subsequent modifications.
 582      *
 583      * @param keyUsage a boolean array in the same format as the boolean
 584      *                 array returned by
 585      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
 586      *                 Or {@code null}.
 587      * @see #getKeyUsage
 588      */
 589     public void setKeyUsage(boolean[] keyUsage) {
 590         if (keyUsage == null) {
 591             this.keyUsage = null;
 592         } else {
 593             this.keyUsage = keyUsage.clone();
 594         }
 595     }
 596 
 597     /**
 598      * Sets the extendedKeyUsage criterion. The {@code X509Certificate}
 599      * must allow the specified key purposes in its extended key usage
 600      * extension. If {@code keyPurposeSet} is empty or {@code null},
 601      * no extendedKeyUsage check will be done. Note that an
 602      * {@code X509Certificate} that has no extendedKeyUsage extension
 603      * implicitly allows all key purposes.
 604      * <p>
 605      * Note that the {@code Set} is cloned to protect against
 606      * subsequent modifications.
 607      *
 608      * @param keyPurposeSet a {@code Set} of key purpose OIDs in string
 609      * format (or {@code null}). Each OID is represented by a set of
 610      * nonnegative integers separated by periods.
 611      * @throws IOException if the OID is invalid, such as
 612      * the first component being not 0, 1 or 2 or the second component
 613      * being greater than 39.
 614      * @see #getExtendedKeyUsage
 615      */
 616     public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException {
 617         if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
 618             this.keyPurposeSet = null;
 619             keyPurposeOIDSet = null;
 620         } else {
 621             this.keyPurposeSet =
 622                 Collections.unmodifiableSet(new HashSet<String>(keyPurposeSet));
 623             keyPurposeOIDSet = new HashSet<ObjectIdentifier>();
 624             for (String s : this.keyPurposeSet) {
 625                 keyPurposeOIDSet.add(new ObjectIdentifier(s));
 626             }
 627         }
 628     }
 629 
 630     /**
 631      * Enables/disables matching all of the subjectAlternativeNames
 632      * specified in the {@link #setSubjectAlternativeNames
 633      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
 634      * addSubjectAlternativeName} methods. If enabled,
 635      * the {@code X509Certificate} must contain all of the
 636      * specified subject alternative names. If disabled, the
 637      * {@code X509Certificate} must contain at least one of the
 638      * specified subject alternative names.
 639      *
 640      * <p>The matchAllNames flag is {@code true} by default.
 641      *
 642      * @param matchAllNames if {@code true}, the flag is enabled;
 643      * if {@code false}, the flag is disabled.
 644      * @see #getMatchAllSubjectAltNames
 645      */
 646     public void setMatchAllSubjectAltNames(boolean matchAllNames) {
 647         this.matchAllSubjectAltNames = matchAllNames;
 648     }
 649 
 650     /**
 651      * Sets the subjectAlternativeNames criterion. The
 652      * {@code X509Certificate} must contain all or at least one of the
 653      * specified subjectAlternativeNames, depending on the value of
 654      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 655      * setMatchAllSubjectAltNames}).
 656      * <p>
 657      * This method allows the caller to specify, with a single method call,
 658      * the complete set of subject alternative names for the
 659      * subjectAlternativeNames criterion. The specified value replaces
 660      * the previous value for the subjectAlternativeNames criterion.
 661      * <p>
 662      * The {@code names} parameter (if not {@code null}) is a
 663      * {@code Collection} with one
 664      * entry for each name to be included in the subject alternative name
 665      * criterion. Each entry is a {@code List} whose first entry is an
 666      * {@code Integer} (the name type, 0-8) and whose second
 667      * entry is a {@code String} or a byte array (the name, in
 668      * string or ASN.1 DER encoded form, respectively).
 669      * There can be multiple names of the same type. If {@code null}
 670      * is supplied as the value for this argument, no
 671      * subjectAlternativeNames check will be performed.
 672      * <p>
 673      * Each subject alternative name in the {@code Collection}
 674      * may be specified either as a {@code String} or as an ASN.1 encoded
 675      * byte array. For more details about the formats used, see
 676      * {@link #addSubjectAlternativeName(int type, String name)
 677      * addSubjectAlternativeName(int type, String name)} and
 678      * {@link #addSubjectAlternativeName(int type, byte [] name)
 679      * addSubjectAlternativeName(int type, byte [] name)}.
 680      * <p>
 681      * <strong>Note:</strong> for distinguished names, specify the byte
 682      * array form instead of the String form. See the note in
 683      * {@link #addSubjectAlternativeName(int, String)} for more information.
 684      * <p>
 685      * Note that the {@code names} parameter can contain duplicate
 686      * names (same name and name type), but they may be removed from the
 687      * {@code Collection} of names returned by the
 688      * {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method.
 689      * <p>
 690      * Note that a deep copy is performed on the {@code Collection} to
 691      * protect against subsequent modifications.
 692      *
 693      * @param names a {@code Collection} of names (or {@code null})
 694      * @throws IOException if a parsing error occurs
 695      * @see #getSubjectAlternativeNames
 696      */
 697     public void setSubjectAlternativeNames(Collection<List<?>> names)
 698             throws IOException {
 699         if (names == null) {
 700             subjectAlternativeNames = null;
 701             subjectAlternativeGeneralNames = null;
 702         } else {
 703             if (names.isEmpty()) {
 704                 subjectAlternativeNames = null;
 705                 subjectAlternativeGeneralNames = null;
 706                 return;
 707             }
 708             Set<List<?>> tempNames = cloneAndCheckNames(names);
 709             // Ensure that we either set both of these or neither
 710             subjectAlternativeGeneralNames = parseNames(tempNames);
 711             subjectAlternativeNames = tempNames;
 712         }
 713     }
 714 
 715     /**
 716      * Adds a name to the subjectAlternativeNames criterion. The
 717      * {@code X509Certificate} must contain all or at least one
 718      * of the specified subjectAlternativeNames, depending on the value of
 719      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 720      * setMatchAllSubjectAltNames}).
 721      * <p>
 722      * This method allows the caller to add a name to the set of subject
 723      * alternative names.
 724      * The specified name is added to any previous value for the
 725      * subjectAlternativeNames criterion. If the specified name is a
 726      * duplicate, it may be ignored.
 727      * <p>
 728      * The name is provided in string format.
 729      * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
 730      * names use the well-established string formats for those types (subject to
 731      * the restrictions included in RFC 3280). IPv4 address names are
 732      * supplied using dotted quad notation. OID address names are represented
 733      * as a series of nonnegative integers separated by periods. And
 734      * directory names (distinguished names) are supplied in RFC 2253 format.
 735      * No standard string format is defined for otherNames, X.400 names,
 736      * EDI party names, IPv6 address names, or any other type of names. They
 737      * should be specified using the
 738      * {@link #addSubjectAlternativeName(int type, byte [] name)
 739      * addSubjectAlternativeName(int type, byte [] name)}
 740      * method.
 741      * <p>
 742      * <strong>Note:</strong> for distinguished names, use
 743      * {@linkplain #addSubjectAlternativeName(int, byte[])} instead.
 744      * This method should not be relied on as it can fail to match some
 745      * certificates because of a loss of encoding information in the RFC 2253
 746      * String form of some distinguished names.
 747      *
 748      * @param type the name type (0-8, as specified in
 749      *             RFC 3280, section 4.2.1.7)
 750      * @param name the name in string form (not {@code null})
 751      * @throws IOException if a parsing error occurs
 752      */
 753     public void addSubjectAlternativeName(int type, String name)
 754             throws IOException {
 755         addSubjectAlternativeNameInternal(type, name);
 756     }
 757 
 758     /**
 759      * Adds a name to the subjectAlternativeNames criterion. The
 760      * {@code X509Certificate} must contain all or at least one
 761      * of the specified subjectAlternativeNames, depending on the value of
 762      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 763      * setMatchAllSubjectAltNames}).
 764      * <p>
 765      * This method allows the caller to add a name to the set of subject
 766      * alternative names.
 767      * The specified name is added to any previous value for the
 768      * subjectAlternativeNames criterion. If the specified name is a
 769      * duplicate, it may be ignored.
 770      * <p>
 771      * The name is provided as a byte array. This byte array should contain
 772      * the DER encoded name, as it would appear in the GeneralName structure
 773      * defined in RFC 3280 and X.509. The encoded byte array should only contain
 774      * the encoded value of the name, and should not include the tag associated
 775      * with the name in the GeneralName structure. The ASN.1 definition of this
 776      * structure appears below.
 777      * <pre>{@code
 778      *  GeneralName ::= CHOICE {
 779      *       otherName                       [0]     OtherName,
 780      *       rfc822Name                      [1]     IA5String,
 781      *       dNSName                         [2]     IA5String,
 782      *       x400Address                     [3]     ORAddress,
 783      *       directoryName                   [4]     Name,
 784      *       ediPartyName                    [5]     EDIPartyName,
 785      *       uniformResourceIdentifier       [6]     IA5String,
 786      *       iPAddress                       [7]     OCTET STRING,
 787      *       registeredID                    [8]     OBJECT IDENTIFIER}
 788      * }</pre>
 789      * <p>
 790      * Note that the byte array supplied here is cloned to protect against
 791      * subsequent modifications.
 792      *
 793      * @param type the name type (0-8, as listed above)
 794      * @param name a byte array containing the name in ASN.1 DER encoded form
 795      * @throws IOException if a parsing error occurs
 796      */
 797     public void addSubjectAlternativeName(int type, byte[] name)
 798             throws IOException {
 799         // clone because byte arrays are modifiable
 800         addSubjectAlternativeNameInternal(type, name.clone());
 801     }
 802 
 803     /**
 804      * A private method that adds a name (String or byte array) to the
 805      * subjectAlternativeNames criterion. The {@code X509Certificate}
 806      * must contain the specified subjectAlternativeName.
 807      *
 808      * @param type the name type (0-8, as specified in
 809      *             RFC 3280, section 4.2.1.7)
 810      * @param name the name in string or byte array form
 811      * @throws IOException if a parsing error occurs
 812      */
 813     private void addSubjectAlternativeNameInternal(int type, Object name)
 814             throws IOException {
 815         // First, ensure that the name parses
 816         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
 817         if (subjectAlternativeNames == null) {
 818             subjectAlternativeNames = new HashSet<List<?>>();
 819         }
 820         if (subjectAlternativeGeneralNames == null) {
 821             subjectAlternativeGeneralNames = new HashSet<GeneralNameInterface>();
 822         }
 823         List<Object> list = new ArrayList<Object>(2);
 824         list.add(Integer.valueOf(type));
 825         list.add(name);
 826         subjectAlternativeNames.add(list);
 827         subjectAlternativeGeneralNames.add(tempName);
 828     }
 829 
 830     /**
 831      * Parse an argument of the form passed to setSubjectAlternativeNames,
 832      * returning a {@code Collection} of
 833      * {@code GeneralNameInterface}s.
 834      * Throw an IllegalArgumentException or a ClassCastException
 835      * if the argument is malformed.
 836      *
 837      * @param names a Collection with one entry per name.
 838      *              Each entry is a {@code List} whose first entry
 839      *              is an Integer (the name type, 0-8) and whose second
 840      *              entry is a String or a byte array (the name, in
 841      *              string or ASN.1 DER encoded form, respectively).
 842      *              There can be multiple names of the same type. Null is
 843      *              not an acceptable value.
 844      * @return a Set of {@code GeneralNameInterface}s
 845      * @throws IOException if a parsing error occurs
 846      */
 847     private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException {
 848         Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>();
 849         for (List<?> nameList : names) {
 850             if (nameList.size() != 2) {
 851                 throw new IOException("name list size not 2");
 852             }
 853             Object o =  nameList.get(0);
 854             if (!(o instanceof Integer)) {
 855                 throw new IOException("expected an Integer");
 856             }
 857             int nameType = ((Integer)o).intValue();
 858             o = nameList.get(1);
 859             genNames.add(makeGeneralNameInterface(nameType, o));
 860         }
 861 
 862         return genNames;
 863     }
 864 
 865     /**
 866      * Compare for equality two objects of the form passed to
 867      * setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames).
 868      * Throw an {@code IllegalArgumentException} or a
 869      * {@code ClassCastException} if one of the objects is malformed.
 870      *
 871      * @param object1 a Collection containing the first object to compare
 872      * @param object2 a Collection containing the second object to compare
 873      * @return true if the objects are equal, false otherwise
 874      */
 875     static boolean equalNames(Collection<?> object1, Collection<?> object2) {
 876         if ((object1 == null) || (object2 == null)) {
 877             return object1 == object2;
 878         }
 879         return object1.equals(object2);
 880     }
 881 
 882     /**
 883      * Make a {@code GeneralNameInterface} out of a name type (0-8) and an
 884      * Object that may be a byte array holding the ASN.1 DER encoded
 885      * name or a String form of the name.  Except for X.509
 886      * Distinguished Names, the String form of the name must not be the
 887      * result from calling toString on an existing GeneralNameInterface
 888      * implementing class.  The output of toString is not compatible
 889      * with the String constructors for names other than Distinguished
 890      * Names.
 891      *
 892      * @param type name type (0-8)
 893      * @param name name as ASN.1 Der-encoded byte array or String
 894      * @return a GeneralNameInterface name
 895      * @throws IOException if a parsing error occurs
 896      */
 897     static GeneralNameInterface makeGeneralNameInterface(int type, Object name)
 898             throws IOException {
 899         GeneralNameInterface result;
 900         if (debug != null) {
 901             debug.println("X509CertSelector.makeGeneralNameInterface("
 902                 + type + ")...");
 903         }


 972             default:
 973                 throw new IOException("unable to parse byte array names of "
 974                     + "type " + type);
 975             }
 976             if (debug != null) {
 977                 debug.println("X509CertSelector.makeGeneralNameInterface() result: "
 978                     + result.toString());
 979             }
 980         } else {
 981             if (debug != null) {
 982                 debug.println("X509CertSelector.makeGeneralName() input name "
 983                     + "not String or byte array");
 984             }
 985             throw new IOException("name not String or byte array");
 986         }
 987         return result;
 988     }
 989 
 990 
 991     /**
 992      * Sets the name constraints criterion. The {@code X509Certificate}
 993      * must have subject and subject alternative names that
 994      * meet the specified name constraints.
 995      * <p>
 996      * The name constraints are specified as a byte array. This byte array
 997      * should contain the DER encoded form of the name constraints, as they
 998      * would appear in the NameConstraints structure defined in RFC 3280
 999      * and X.509. The ASN.1 definition of this structure appears below.
1000      *
1001      * <pre>{@code
1002      *  NameConstraints ::= SEQUENCE {
1003      *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
1004      *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
1005      *
1006      *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1007      *
1008      *  GeneralSubtree ::= SEQUENCE {
1009      *       base                    GeneralName,
1010      *       minimum         [0]     BaseDistance DEFAULT 0,
1011      *       maximum         [1]     BaseDistance OPTIONAL }
1012      *
1013      *  BaseDistance ::= INTEGER (0..MAX)
1014      *
1015      *  GeneralName ::= CHOICE {
1016      *       otherName                       [0]     OtherName,
1017      *       rfc822Name                      [1]     IA5String,
1018      *       dNSName                         [2]     IA5String,
1019      *       x400Address                     [3]     ORAddress,
1020      *       directoryName                   [4]     Name,
1021      *       ediPartyName                    [5]     EDIPartyName,
1022      *       uniformResourceIdentifier       [6]     IA5String,
1023      *       iPAddress                       [7]     OCTET STRING,
1024      *       registeredID                    [8]     OBJECT IDENTIFIER}
1025      * }</pre>
1026      * <p>
1027      * Note that the byte array supplied here is cloned to protect against
1028      * subsequent modifications.
1029      *
1030      * @param bytes a byte array containing the ASN.1 DER encoding of
1031      *              a NameConstraints extension to be used for checking
1032      *              name constraints. Only the value of the extension is
1033      *              included, not the OID or criticality flag. Can be
1034      *              {@code null},
1035      *              in which case no name constraints check will be performed.
1036      * @throws IOException if a parsing error occurs
1037      * @see #getNameConstraints
1038      */
1039     public void setNameConstraints(byte[] bytes) throws IOException {
1040         if (bytes == null) {
1041             ncBytes = null;
1042             nc = null;
1043         } else {
1044             ncBytes = bytes.clone();
1045             nc = new NameConstraintsExtension(FALSE, bytes);
1046         }
1047     }
1048 
1049     /**
1050      * Sets the basic constraints constraint. If the value is greater than or
1051      * equal to zero, {@code X509Certificates} must include a
1052      * basicConstraints extension with
1053      * a pathLen of at least this value. If the value is -2, only end-entity
1054      * certificates are accepted. If the value is -1, no check is done.
1055      * <p>
1056      * This constraint is useful when building a certification path forward
1057      * (from the target toward the trust anchor. If a partial path has been
1058      * built, any candidate certificate must have a maxPathLen value greater
1059      * than or equal to the number of certificates in the partial path.
1060      *
1061      * @param minMaxPathLen the value for the basic constraints constraint
1062      * @throws IllegalArgumentException if the value is less than -2
1063      * @see #getBasicConstraints
1064      */
1065     public void setBasicConstraints(int minMaxPathLen) {
1066         if (minMaxPathLen < -2) {
1067             throw new IllegalArgumentException("basic constraints less than -2");
1068         }
1069         basicConstraints = minMaxPathLen;
1070     }
1071 
1072     /**
1073      * Sets the policy constraint. The {@code X509Certificate} must
1074      * include at least one of the specified policies in its certificate
1075      * policies extension. If {@code certPolicySet} is empty, then the
1076      * {@code X509Certificate} must include at least some specified policy
1077      * in its certificate policies extension. If {@code certPolicySet} is
1078      * {@code null}, no policy check will be performed.
1079      * <p>
1080      * Note that the {@code Set} is cloned to protect against
1081      * subsequent modifications.
1082      *
1083      * @param certPolicySet a {@code Set} of certificate policy OIDs in
1084      *                      string format (or {@code null}). Each OID is
1085      *                      represented by a set of nonnegative integers
1086      *                    separated by periods.
1087      * @throws IOException if a parsing error occurs on the OID such as
1088      * the first component is not 0, 1 or 2 or the second component is
1089      * greater than 39.
1090      * @see #getPolicy
1091      */
1092     public void setPolicy(Set<String> certPolicySet) throws IOException {
1093         if (certPolicySet == null) {
1094             policySet = null;
1095             policy = null;
1096         } else {
1097             // Snapshot set and parse it
1098             Set<String> tempSet = Collections.unmodifiableSet
1099                                         (new HashSet<String>(certPolicySet));
1100             /* Convert to Vector of ObjectIdentifiers */
1101             Iterator<String> i = tempSet.iterator();
1102             Vector<CertificatePolicyId> polIdVector = new Vector<CertificatePolicyId>();
1103             while (i.hasNext()) {
1104                 Object o = i.next();
1105                 if (!(o instanceof String)) {
1106                     throw new IOException("non String in certPolicySet");
1107                 }
1108                 polIdVector.add(new CertificatePolicyId(new ObjectIdentifier(
1109                   (String)o)));
1110             }
1111             // If everything went OK, make the changes
1112             policySet = tempSet;
1113             policy = new CertificatePolicySet(polIdVector);
1114         }
1115     }
1116 
1117     /**
1118      * Sets the pathToNames criterion. The {@code X509Certificate} must
1119      * not include name constraints that would prohibit building a
1120      * path to the specified names.
1121      * <p>
1122      * This method allows the caller to specify, with a single method call,
1123      * the complete set of names which the {@code X509Certificates}'s
1124      * name constraints must permit. The specified value replaces
1125      * the previous value for the pathToNames criterion.
1126      * <p>
1127      * This constraint is useful when building a certification path forward
1128      * (from the target toward the trust anchor. If a partial path has been
1129      * built, any candidate certificate must not include name constraints that
1130      * would prohibit building a path to any of the names in the partial path.
1131      * <p>
1132      * The {@code names} parameter (if not {@code null}) is a
1133      * {@code Collection} with one
1134      * entry for each name to be included in the pathToNames
1135      * criterion. Each entry is a {@code List} whose first entry is an
1136      * {@code Integer} (the name type, 0-8) and whose second
1137      * entry is a {@code String} or a byte array (the name, in
1138      * string or ASN.1 DER encoded form, respectively).
1139      * There can be multiple names of the same type. If {@code null}
1140      * is supplied as the value for this argument, no
1141      * pathToNames check will be performed.
1142      * <p>
1143      * Each name in the {@code Collection}
1144      * may be specified either as a {@code String} or as an ASN.1 encoded
1145      * byte array. For more details about the formats used, see
1146      * {@link #addPathToName(int type, String name)
1147      * addPathToName(int type, String name)} and
1148      * {@link #addPathToName(int type, byte [] name)
1149      * addPathToName(int type, byte [] name)}.
1150      * <p>
1151      * <strong>Note:</strong> for distinguished names, specify the byte
1152      * array form instead of the String form. See the note in
1153      * {@link #addPathToName(int, String)} for more information.
1154      * <p>
1155      * Note that the {@code names} parameter can contain duplicate
1156      * names (same name and name type), but they may be removed from the
1157      * {@code Collection} of names returned by the
1158      * {@link #getPathToNames getPathToNames} method.
1159      * <p>
1160      * Note that a deep copy is performed on the {@code Collection} to
1161      * protect against subsequent modifications.
1162      *
1163      * @param names a {@code Collection} with one entry per name
1164      *              (or {@code null})
1165      * @throws IOException if a parsing error occurs
1166      * @see #getPathToNames
1167      */
1168     public void setPathToNames(Collection<List<?>> names) throws IOException {
1169         if ((names == null) || names.isEmpty()) {
1170             pathToNames = null;
1171             pathToGeneralNames = null;
1172         } else {
1173             Set<List<?>> tempNames = cloneAndCheckNames(names);
1174             pathToGeneralNames = parseNames(tempNames);
1175             // Ensure that we either set both of these or neither
1176             pathToNames = tempNames;
1177         }
1178     }
1179 
1180     // called from CertPathHelper
1181     void setPathToNamesInternal(Set<GeneralNameInterface> names) {
1182         // set names to non-null dummy value
1183         // this breaks getPathToNames()
1184         pathToNames = Collections.<List<?>>emptySet();
1185         pathToGeneralNames = names;
1186     }
1187 
1188     /**
1189      * Adds a name to the pathToNames criterion. The {@code X509Certificate}
1190      * must not include name constraints that would prohibit building a
1191      * path to the specified name.
1192      * <p>
1193      * This method allows the caller to add a name to the set of names which
1194      * the {@code X509Certificates}'s name constraints must permit.
1195      * The specified name is added to any previous value for the
1196      * pathToNames criterion.  If the name is a duplicate, it may be ignored.
1197      * <p>
1198      * The name is provided in string format. RFC 822, DNS, and URI names
1199      * use the well-established string formats for those types (subject to
1200      * the restrictions included in RFC 3280). IPv4 address names are
1201      * supplied using dotted quad notation. OID address names are represented
1202      * as a series of nonnegative integers separated by periods. And
1203      * directory names (distinguished names) are supplied in RFC 2253 format.
1204      * No standard string format is defined for otherNames, X.400 names,
1205      * EDI party names, IPv6 address names, or any other type of names. They
1206      * should be specified using the
1207      * {@link #addPathToName(int type, byte [] name)
1208      * addPathToName(int type, byte [] name)} method.
1209      * <p>
1210      * <strong>Note:</strong> for distinguished names, use
1211      * {@linkplain #addPathToName(int, byte[])} instead.
1212      * This method should not be relied on as it can fail to match some
1213      * certificates because of a loss of encoding information in the RFC 2253
1214      * String form of some distinguished names.
1215      *
1216      * @param type the name type (0-8, as specified in
1217      *             RFC 3280, section 4.2.1.7)
1218      * @param name the name in string form
1219      * @throws IOException if a parsing error occurs
1220      */
1221     public void addPathToName(int type, String name) throws IOException {
1222         addPathToNameInternal(type, name);
1223     }
1224 
1225     /**
1226      * Adds a name to the pathToNames criterion. The {@code X509Certificate}
1227      * must not include name constraints that would prohibit building a
1228      * path to the specified name.
1229      * <p>
1230      * This method allows the caller to add a name to the set of names which
1231      * the {@code X509Certificates}'s name constraints must permit.
1232      * The specified name is added to any previous value for the
1233      * pathToNames criterion. If the name is a duplicate, it may be ignored.
1234      * <p>
1235      * The name is provided as a byte array. This byte array should contain
1236      * the DER encoded name, as it would appear in the GeneralName structure
1237      * defined in RFC 3280 and X.509. The ASN.1 definition of this structure
1238      * appears in the documentation for
1239      * {@link #addSubjectAlternativeName(int type, byte [] name)
1240      * addSubjectAlternativeName(int type, byte [] name)}.
1241      * <p>
1242      * Note that the byte array supplied here is cloned to protect against
1243      * subsequent modifications.
1244      *
1245      * @param type the name type (0-8, as specified in
1246      *             RFC 3280, section 4.2.1.7)
1247      * @param name a byte array containing the name in ASN.1 DER encoded form
1248      * @throws IOException if a parsing error occurs
1249      */
1250     public void addPathToName(int type, byte [] name) throws IOException {
1251         // clone because byte arrays are modifiable
1252         addPathToNameInternal(type, name.clone());
1253     }
1254 
1255     /**
1256      * A private method that adds a name (String or byte array) to the
1257      * pathToNames criterion. The {@code X509Certificate} must contain
1258      * the specified pathToName.
1259      *
1260      * @param type the name type (0-8, as specified in
1261      *             RFC 3280, section 4.2.1.7)
1262      * @param name the name in string or byte array form
1263      * @throws IOException if an encoding error occurs (incorrect form for DN)
1264      */
1265     private void addPathToNameInternal(int type, Object name)
1266             throws IOException {
1267         // First, ensure that the name parses
1268         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
1269         if (pathToGeneralNames == null) {
1270             pathToNames = new HashSet<List<?>>();
1271             pathToGeneralNames = new HashSet<GeneralNameInterface>();
1272         }
1273         List<Object> list = new ArrayList<Object>(2);
1274         list.add(Integer.valueOf(type));
1275         list.add(name);
1276         pathToNames.add(list);
1277         pathToGeneralNames.add(tempName);
1278     }
1279 
1280     /**
1281      * Returns the certificateEquals criterion. The specified
1282      * {@code X509Certificate} must be equal to the
1283      * {@code X509Certificate} passed to the {@code match} method.
1284      * If {@code null}, this check is not applied.
1285      *
1286      * @return the {@code X509Certificate} to match (or {@code null})
1287      * @see #setCertificate
1288      */
1289     public X509Certificate getCertificate() {
1290         return x509Cert;
1291     }
1292 
1293     /**
1294      * Returns the serialNumber criterion. The specified serial number
1295      * must match the certificate serial number in the
1296      * {@code X509Certificate}. If {@code null}, any certificate
1297      * serial number will do.
1298      *
1299      * @return the certificate serial number to match
1300      *                (or {@code null})
1301      * @see #setSerialNumber
1302      */
1303     public BigInteger getSerialNumber() {
1304         return serialNumber;
1305     }
1306 
1307     /**
1308      * Returns the issuer criterion as an {@code X500Principal}. This
1309      * distinguished name must match the issuer distinguished name in the
1310      * {@code X509Certificate}. If {@code null}, the issuer criterion
1311      * is disabled and any issuer distinguished name will do.
1312      *
1313      * @return the required issuer distinguished name as X500Principal
1314      *         (or {@code null})
1315      * @since 1.5
1316      */
1317     public X500Principal getIssuer() {
1318         return issuer;
1319     }
1320 
1321     /**
1322      * <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
1323      * {@linkplain #getIssuerAsBytes()} instead. This method should not be
1324      * relied on as it can fail to match some certificates because of a loss of
1325      * encoding information in the RFC 2253 String form of some distinguished
1326      * names.
1327      * <p>
1328      * Returns the issuer criterion as a {@code String}. This
1329      * distinguished name must match the issuer distinguished name in the
1330      * {@code X509Certificate}. If {@code null}, the issuer criterion
1331      * is disabled and any issuer distinguished name will do.
1332      * <p>
1333      * If the value returned is not {@code null}, it is a
1334      * distinguished name, in RFC 2253 format.
1335      *
1336      * @return the required issuer distinguished name in RFC 2253 format
1337      *         (or {@code null})
1338      */
1339     public String getIssuerAsString() {
1340         return (issuer == null ? null : issuer.getName());
1341     }
1342 
1343     /**
1344      * Returns the issuer criterion as a byte array. This distinguished name
1345      * must match the issuer distinguished name in the
1346      * {@code X509Certificate}. If {@code null}, the issuer criterion
1347      * is disabled and any issuer distinguished name will do.
1348      * <p>
1349      * If the value returned is not {@code null}, it is a byte
1350      * array containing a single DER encoded distinguished name, as defined in
1351      * X.501. The ASN.1 notation for this structure is supplied in the
1352      * documentation for
1353      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
1354      * <p>
1355      * Note that the byte array returned is cloned to protect against
1356      * subsequent modifications.
1357      *
1358      * @return a byte array containing the required issuer distinguished name
1359      *         in ASN.1 DER format (or {@code null})
1360      * @throws IOException if an encoding error occurs
1361      */
1362     public byte[] getIssuerAsBytes() throws IOException {
1363         return (issuer == null ? null: issuer.getEncoded());
1364     }
1365 
1366     /**
1367      * Returns the subject criterion as an {@code X500Principal}. This
1368      * distinguished name must match the subject distinguished name in the
1369      * {@code X509Certificate}. If {@code null}, the subject criterion
1370      * is disabled and any subject distinguished name will do.
1371      *
1372      * @return the required subject distinguished name as X500Principal
1373      *         (or {@code null})
1374      * @since 1.5
1375      */
1376     public X500Principal getSubject() {
1377         return subject;
1378     }
1379 
1380     /**
1381      * <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
1382      * {@linkplain #getSubjectAsBytes()} instead. This method should not be
1383      * relied on as it can fail to match some certificates because of a loss of
1384      * encoding information in the RFC 2253 String form of some distinguished
1385      * names.
1386      * <p>
1387      * Returns the subject criterion as a {@code String}. This
1388      * distinguished name must match the subject distinguished name in the
1389      * {@code X509Certificate}. If {@code null}, the subject criterion
1390      * is disabled and any subject distinguished name will do.
1391      * <p>
1392      * If the value returned is not {@code null}, it is a
1393      * distinguished name, in RFC 2253 format.
1394      *
1395      * @return the required subject distinguished name in RFC 2253 format
1396      *         (or {@code null})
1397      */
1398     public String getSubjectAsString() {
1399         return (subject == null ? null : subject.getName());
1400     }
1401 
1402     /**
1403      * Returns the subject criterion as a byte array. This distinguished name
1404      * must match the subject distinguished name in the
1405      * {@code X509Certificate}. If {@code null}, the subject criterion
1406      * is disabled and any subject distinguished name will do.
1407      * <p>
1408      * If the value returned is not {@code null}, it is a byte
1409      * array containing a single DER encoded distinguished name, as defined in
1410      * X.501. The ASN.1 notation for this structure is supplied in the
1411      * documentation for
1412      * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
1413      * <p>
1414      * Note that the byte array returned is cloned to protect against
1415      * subsequent modifications.
1416      *
1417      * @return a byte array containing the required subject distinguished name
1418      *         in ASN.1 DER format (or {@code null})
1419      * @throws IOException if an encoding error occurs
1420      */
1421     public byte[] getSubjectAsBytes() throws IOException {
1422         return (subject == null ? null : subject.getEncoded());
1423     }
1424 
1425     /**
1426      * Returns the subjectKeyIdentifier criterion. The
1427      * {@code X509Certificate} must contain a SubjectKeyIdentifier
1428      * extension with the specified value. If {@code null}, no
1429      * subjectKeyIdentifier check will be done.
1430      * <p>
1431      * Note that the byte array returned is cloned to protect against
1432      * subsequent modifications.
1433      *
1434      * @return the key identifier (or {@code null})
1435      * @see #setSubjectKeyIdentifier
1436      */
1437     public byte[] getSubjectKeyIdentifier() {
1438         if (subjectKeyID == null) {
1439             return null;
1440         }
1441         return subjectKeyID.clone();
1442     }
1443 
1444     /**
1445      * Returns the authorityKeyIdentifier criterion. The
1446      * {@code X509Certificate} must contain a AuthorityKeyIdentifier
1447      * extension with the specified value. If {@code null}, no
1448      * authorityKeyIdentifier check will be done.
1449      * <p>
1450      * Note that the byte array returned is cloned to protect against
1451      * subsequent modifications.
1452      *
1453      * @return the key identifier (or {@code null})
1454      * @see #setAuthorityKeyIdentifier
1455      */
1456     public byte[] getAuthorityKeyIdentifier() {
1457         if (authorityKeyID == null) {
1458           return null;
1459         }
1460         return authorityKeyID.clone();
1461     }
1462 
1463     /**
1464      * Returns the certificateValid criterion. The specified date must fall
1465      * within the certificate validity period for the
1466      * {@code X509Certificate}. If {@code null}, no certificateValid
1467      * check will be done.
1468      * <p>
1469      * Note that the {@code Date} returned is cloned to protect against
1470      * subsequent modifications.
1471      *
1472      * @return the {@code Date} to check (or {@code null})
1473      * @see #setCertificateValid
1474      */
1475     public Date getCertificateValid() {
1476         if (certificateValid == null) {
1477             return null;
1478         }
1479         return (Date)certificateValid.clone();
1480     }
1481 
1482     /**
1483      * Returns the privateKeyValid criterion. The specified date must fall
1484      * within the private key validity period for the
1485      * {@code X509Certificate}. If {@code null}, no privateKeyValid
1486      * check will be done.
1487      * <p>
1488      * Note that the {@code Date} returned is cloned to protect against
1489      * subsequent modifications.
1490      *
1491      * @return the {@code Date} to check (or {@code null})
1492      * @see #setPrivateKeyValid
1493      */
1494     public Date getPrivateKeyValid() {
1495         if (privateKeyValid == null) {
1496             return null;
1497         }
1498         return (Date)privateKeyValid.clone();
1499     }
1500 
1501     /**
1502      * Returns the subjectPublicKeyAlgID criterion. The
1503      * {@code X509Certificate} must contain a subject public key
1504      * with the specified algorithm. If {@code null}, no
1505      * subjectPublicKeyAlgID check will be done.
1506      *
1507      * @return the object identifier (OID) of the signature algorithm to check
1508      *         for (or {@code null}). An OID is represented by a set of
1509      *         nonnegative integers separated by periods.
1510      * @see #setSubjectPublicKeyAlgID
1511      */
1512     public String getSubjectPublicKeyAlgID() {
1513         if (subjectPublicKeyAlgID == null) {
1514             return null;
1515         }
1516         return subjectPublicKeyAlgID.toString();
1517     }
1518 
1519     /**
1520      * Returns the subjectPublicKey criterion. The
1521      * {@code X509Certificate} must contain the specified subject
1522      * public key. If {@code null}, no subjectPublicKey check will be done.
1523      *
1524      * @return the subject public key to check for (or {@code null})
1525      * @see #setSubjectPublicKey
1526      */
1527     public PublicKey getSubjectPublicKey() {
1528         return subjectPublicKey;
1529     }
1530 
1531     /**
1532      * Returns the keyUsage criterion. The {@code X509Certificate}
1533      * must allow the specified keyUsage values. If null, no keyUsage
1534      * check will be done.
1535      * <p>
1536      * Note that the boolean array returned is cloned to protect against
1537      * subsequent modifications.
1538      *
1539      * @return a boolean array in the same format as the boolean
1540      *                 array returned by
1541      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
1542      *                 Or {@code null}.
1543      * @see #setKeyUsage
1544      */
1545     public boolean[] getKeyUsage() {
1546         if (keyUsage == null) {
1547             return null;
1548         }
1549         return keyUsage.clone();
1550     }
1551 
1552     /**
1553      * Returns the extendedKeyUsage criterion. The {@code X509Certificate}
1554      * must allow the specified key purposes in its extended key usage
1555      * extension. If the {@code keyPurposeSet} returned is empty or
1556      * {@code null}, no extendedKeyUsage check will be done. Note that an
1557      * {@code X509Certificate} that has no extendedKeyUsage extension
1558      * implicitly allows all key purposes.
1559      *
1560      * @return an immutable {@code Set} of key purpose OIDs in string
1561      * format (or {@code null})
1562      * @see #setExtendedKeyUsage
1563      */
1564     public Set<String> getExtendedKeyUsage() {
1565         return keyPurposeSet;
1566     }
1567 
1568     /**
1569      * Indicates if the {@code X509Certificate} must contain all
1570      * or at least one of the subjectAlternativeNames
1571      * specified in the {@link #setSubjectAlternativeNames
1572      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
1573      * addSubjectAlternativeName} methods. If {@code true},
1574      * the {@code X509Certificate} must contain all of the
1575      * specified subject alternative names. If {@code false}, the
1576      * {@code X509Certificate} must contain at least one of the
1577      * specified subject alternative names.
1578      *
1579      * @return {@code true} if the flag is enabled;
1580      * {@code false} if the flag is disabled. The flag is
1581      * {@code true} by default.
1582      * @see #setMatchAllSubjectAltNames
1583      */
1584     public boolean getMatchAllSubjectAltNames() {
1585         return matchAllSubjectAltNames;
1586     }
1587 
1588     /**
1589      * Returns a copy of the subjectAlternativeNames criterion.
1590      * The {@code X509Certificate} must contain all or at least one
1591      * of the specified subjectAlternativeNames, depending on the value
1592      * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames
1593      * getMatchAllSubjectAltNames}). If the value returned is
1594      * {@code null}, no subjectAlternativeNames check will be performed.
1595      * <p>
1596      * If the value returned is not {@code null}, it is a
1597      * {@code Collection} with
1598      * one entry for each name to be included in the subject alternative name
1599      * criterion. Each entry is a {@code List} whose first entry is an
1600      * {@code Integer} (the name type, 0-8) and whose second
1601      * entry is a {@code String} or a byte array (the name, in
1602      * string or ASN.1 DER encoded form, respectively).
1603      * There can be multiple names of the same type.  Note that the
1604      * {@code Collection} returned may contain duplicate names (same name
1605      * and name type).
1606      * <p>
1607      * Each subject alternative name in the {@code Collection}
1608      * may be specified either as a {@code String} or as an ASN.1 encoded
1609      * byte array. For more details about the formats used, see
1610      * {@link #addSubjectAlternativeName(int type, String name)
1611      * addSubjectAlternativeName(int type, String name)} and
1612      * {@link #addSubjectAlternativeName(int type, byte [] name)
1613      * addSubjectAlternativeName(int type, byte [] name)}.
1614      * <p>
1615      * Note that a deep copy is performed on the {@code Collection} to
1616      * protect against subsequent modifications.
1617      *
1618      * @return a {@code Collection} of names (or {@code null})
1619      * @see #setSubjectAlternativeNames
1620      */
1621     public Collection<List<?>> getSubjectAlternativeNames() {
1622         if (subjectAlternativeNames == null) {
1623             return null;
1624         }
1625         return cloneNames(subjectAlternativeNames);
1626     }
1627 
1628     /**
1629      * Clone an object of the form passed to
1630      * setSubjectAlternativeNames and setPathToNames.
1631      * Throw a {@code RuntimeException} if the argument is malformed.
1632      * <p>
1633      * This method wraps cloneAndCheckNames, changing any
1634      * {@code IOException} into a {@code RuntimeException}. This
1635      * method should be used when the object being
1636      * cloned has already been checked, so there should never be any exceptions.
1637      *
1638      * @param names a {@code Collection} with one entry per name.
1639      *              Each entry is a {@code List} whose first entry
1640      *              is an Integer (the name type, 0-8) and whose second
1641      *              entry is a String or a byte array (the name, in
1642      *              string or ASN.1 DER encoded form, respectively).
1643      *              There can be multiple names of the same type. Null
1644      *              is not an acceptable value.
1645      * @return a deep copy of the specified {@code Collection}
1646      * @throws RuntimeException if a parsing error occurs
1647      */
1648     private static Set<List<?>> cloneNames(Collection<List<?>> names) {
1649         try {
1650             return cloneAndCheckNames(names);
1651         } catch (IOException e) {
1652             throw new RuntimeException("cloneNames encountered IOException: " +
1653                                        e.getMessage());
1654         }
1655     }
1656 
1657     /**
1658      * Clone and check an argument of the form passed to
1659      * setSubjectAlternativeNames and setPathToNames.
1660      * Throw an {@code IOException} if the argument is malformed.
1661      *
1662      * @param names a {@code Collection} with one entry per name.
1663      *              Each entry is a {@code List} whose first entry
1664      *              is an Integer (the name type, 0-8) and whose second
1665      *              entry is a String or a byte array (the name, in
1666      *              string or ASN.1 DER encoded form, respectively).
1667      *              There can be multiple names of the same type.
1668      *              {@code null} is not an acceptable value.
1669      * @return a deep copy of the specified {@code Collection}
1670      * @throws IOException if a parsing error occurs
1671      */
1672     private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException {
1673         // Copy the Lists and Collection
1674         Set<List<?>> namesCopy = new HashSet<List<?>>();
1675         for (List<?> o : names)
1676         {
1677             namesCopy.add(new ArrayList<Object>(o));
1678         }
1679 
1680         // Check the contents of the Lists and clone any byte arrays
1681         for (List<?> list : namesCopy) {
1682             @SuppressWarnings("unchecked") // See javadoc for parameter "names".
1683             List<Object> nameList = (List<Object>)list;
1684             if (nameList.size() != 2) {
1685                 throw new IOException("name list size not 2");
1686             }
1687             Object o = nameList.get(0);
1688             if (!(o instanceof Integer)) {
1689                 throw new IOException("expected an Integer");


1692             if ((nameType < 0) || (nameType > 8)) {
1693                 throw new IOException("name type not 0-8");
1694             }
1695             Object nameObject = nameList.get(1);
1696             if (!(nameObject instanceof byte[]) &&
1697                 !(nameObject instanceof String)) {
1698                 if (debug != null) {
1699                     debug.println("X509CertSelector.cloneAndCheckNames() "
1700                         + "name not byte array");
1701                 }
1702                 throw new IOException("name not byte array or String");
1703             }
1704             if (nameObject instanceof byte[]) {
1705                 nameList.set(1, ((byte[]) nameObject).clone());
1706             }
1707         }
1708         return namesCopy;
1709     }
1710 
1711     /**
1712      * Returns the name constraints criterion. The {@code X509Certificate}
1713      * must have subject and subject alternative names that
1714      * meet the specified name constraints.
1715      * <p>
1716      * The name constraints are returned as a byte array. This byte array
1717      * contains the DER encoded form of the name constraints, as they
1718      * would appear in the NameConstraints structure defined in RFC 3280
1719      * and X.509. The ASN.1 notation for this structure is supplied in the
1720      * documentation for
1721      * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}.
1722      * <p>
1723      * Note that the byte array returned is cloned to protect against
1724      * subsequent modifications.
1725      *
1726      * @return a byte array containing the ASN.1 DER encoding of
1727      *         a NameConstraints extension used for checking name constraints.
1728      *         {@code null} if no name constraints check will be performed.
1729      * @see #setNameConstraints
1730      */
1731     public byte[] getNameConstraints() {
1732         if (ncBytes == null) {
1733             return null;
1734         } else {
1735             return ncBytes.clone();
1736         }
1737     }
1738 
1739     /**
1740      * Returns the basic constraints constraint. If the value is greater than
1741      * or equal to zero, the {@code X509Certificates} must include a
1742      * basicConstraints extension with a pathLen of at least this value.
1743      * If the value is -2, only end-entity certificates are accepted. If
1744      * the value is -1, no basicConstraints check is done.
1745      *
1746      * @return the value for the basic constraints constraint
1747      * @see #setBasicConstraints
1748      */
1749     public int getBasicConstraints() {
1750         return basicConstraints;
1751     }
1752 
1753     /**
1754      * Returns the policy criterion. The {@code X509Certificate} must
1755      * include at least one of the specified policies in its certificate policies
1756      * extension. If the {@code Set} returned is empty, then the
1757      * {@code X509Certificate} must include at least some specified policy
1758      * in its certificate policies extension. If the {@code Set} returned is
1759      * {@code null}, no policy check will be performed.
1760      *
1761      * @return an immutable {@code Set} of certificate policy OIDs in
1762      *         string format (or {@code null})
1763      * @see #setPolicy
1764      */
1765     public Set<String> getPolicy() {
1766         return policySet;
1767     }
1768 
1769     /**
1770      * Returns a copy of the pathToNames criterion. The
1771      * {@code X509Certificate} must not include name constraints that would
1772      * prohibit building a path to the specified names. If the value
1773      * returned is {@code null}, no pathToNames check will be performed.
1774      * <p>
1775      * If the value returned is not {@code null}, it is a
1776      * {@code Collection} with one
1777      * entry for each name to be included in the pathToNames
1778      * criterion. Each entry is a {@code List} whose first entry is an
1779      * {@code Integer} (the name type, 0-8) and whose second
1780      * entry is a {@code String} or a byte array (the name, in
1781      * string or ASN.1 DER encoded form, respectively).
1782      * There can be multiple names of the same type. Note that the
1783      * {@code Collection} returned may contain duplicate names (same
1784      * name and name type).
1785      * <p>
1786      * Each name in the {@code Collection}
1787      * may be specified either as a {@code String} or as an ASN.1 encoded
1788      * byte array. For more details about the formats used, see
1789      * {@link #addPathToName(int type, String name)
1790      * addPathToName(int type, String name)} and
1791      * {@link #addPathToName(int type, byte [] name)
1792      * addPathToName(int type, byte [] name)}.
1793      * <p>
1794      * Note that a deep copy is performed on the {@code Collection} to
1795      * protect against subsequent modifications.
1796      *
1797      * @return a {@code Collection} of names (or {@code null})
1798      * @see #setPathToNames
1799      */
1800     public Collection<List<?>> getPathToNames() {
1801         if (pathToNames == null) {
1802             return null;
1803         }
1804         return cloneNames(pathToNames);
1805     }
1806 
1807     /**
1808      * Return a printable representation of the {@code CertSelector}.
1809      *
1810      * @return a {@code String} describing the contents of the
1811      *         {@code CertSelector}
1812      */
1813     public String toString() {
1814         StringBuffer sb = new StringBuffer();
1815         sb.append("X509CertSelector: [\n");
1816         if (x509Cert != null) {
1817             sb.append("  Certificate: " + x509Cert.toString() + "\n");
1818         }
1819         if (serialNumber != null) {
1820             sb.append("  Serial Number: " + serialNumber.toString() + "\n");
1821         }
1822         if (issuer != null) {
1823             sb.append("  Issuer: " + getIssuerAsString() + "\n");
1824         }
1825         if (subject != null) {
1826             sb.append("  Subject: " + getSubjectAsString() + "\n");
1827         }
1828         sb.append("  matchAllSubjectAltNames flag: "
1829                   + String.valueOf(matchAllSubjectAltNames) + "\n");
1830         if (subjectAlternativeNames != null) {
1831             sb.append("  SubjectAlternativeNames:\n");


1910                 s += "  Key_CertSign\n";
1911             }
1912             if (k[6]) {
1913                 s += "  Crl_Sign\n";
1914             }
1915             if (k[7]) {
1916                 s += "  Encipher_Only\n";
1917             }
1918             if (k[8]) {
1919                 s += "  Decipher_Only\n";
1920             }
1921         } catch (ArrayIndexOutOfBoundsException ex) {}
1922 
1923         s += "]\n";
1924 
1925         return (s);
1926     }
1927 
1928     /**
1929      * Returns an Extension object given any X509Certificate and extension oid.
1930      * Throw an {@code IOException} if the extension byte value is
1931      * malformed.
1932      *
1933      * @param cert a {@code X509Certificate}
1934      * @param extId an {@code integer} which specifies the extension index.
1935      * Currently, the supported extensions are as follows:
1936      * index 0 - PrivateKeyUsageExtension
1937      * index 1 - SubjectAlternativeNameExtension
1938      * index 2 - NameConstraintsExtension
1939      * index 3 - CertificatePoliciesExtension
1940      * index 4 - ExtendedKeyUsageExtension
1941      * @return an {@code Extension} object whose real type is as specified
1942      * by the extension oid.
1943      * @throws IOException if cannot construct the {@code Extension}
1944      * object with the extension encoding retrieved from the passed in
1945      * {@code X509Certificate}.
1946      */
1947     private static Extension getExtensionObject(X509Certificate cert, int extId)
1948             throws IOException {
1949         if (cert instanceof X509CertImpl) {
1950             X509CertImpl impl = (X509CertImpl)cert;
1951             switch (extId) {
1952             case PRIVATE_KEY_USAGE_ID:
1953                 return impl.getPrivateKeyUsageExtension();
1954             case SUBJECT_ALT_NAME_ID:
1955                 return impl.getSubjectAlternativeNameExtension();
1956             case NAME_CONSTRAINTS_ID:
1957                 return impl.getNameConstraintsExtension();
1958             case CERT_POLICIES_ID:
1959                 return impl.getCertificatePoliciesExtension();
1960             case EXTENDED_KEY_USAGE_ID:
1961                 return impl.getExtendedKeyUsageExtension();
1962             default:
1963                 return null;
1964             }
1965         }


1973         case PRIVATE_KEY_USAGE_ID:
1974             try {
1975                 return new PrivateKeyUsageExtension(FALSE, encoded);
1976             } catch (CertificateException ex) {
1977                 throw new IOException(ex.getMessage());
1978             }
1979         case SUBJECT_ALT_NAME_ID:
1980             return new SubjectAlternativeNameExtension(FALSE, encoded);
1981         case NAME_CONSTRAINTS_ID:
1982             return new NameConstraintsExtension(FALSE, encoded);
1983         case CERT_POLICIES_ID:
1984             return new CertificatePoliciesExtension(FALSE, encoded);
1985         case EXTENDED_KEY_USAGE_ID:
1986             return new ExtendedKeyUsageExtension(FALSE, encoded);
1987         default:
1988             return null;
1989         }
1990     }
1991 
1992     /**
1993      * Decides whether a {@code Certificate} should be selected.
1994      *
1995      * @param cert the {@code Certificate} to be checked
1996      * @return {@code true} if the {@code Certificate} should be
1997      *         selected, {@code false} otherwise
1998      */
1999     public boolean match(Certificate cert) {
2000         if (!(cert instanceof X509Certificate)) {
2001             return false;
2002         }
2003         X509Certificate xcert = (X509Certificate)cert;
2004 
2005         if (debug != null) {
2006             debug.println("X509CertSelector.match(SN: "
2007                 + (xcert.getSerialNumber()).toString(16) + "\n  Issuer: "
2008                 + xcert.getIssuerDN() + "\n  Subject: " + xcert.getSubjectDN()
2009                 + ")");
2010         }
2011 
2012         /* match on X509Certificate */
2013         if (x509Cert != null) {
2014             if (!x509Cert.equals(xcert)) {
2015                 if (debug != null) {
2016                     debug.println("X509CertSelector.match: "
2017                         + "certs don't match");