src/share/classes/java/security/cert/TrustAnchor.java
Print this page
*** 1,7 ****
/*
! * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
--- 1,7 ----
/*
! * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
*** 38,57 ****
* <p>
* This class represents a "most-trusted CA", which is used as a trust anchor
* for validating X.509 certification paths. A most-trusted CA includes the
* public key of the CA, the CA's name, and any constraints upon the set of
* paths which may be validated using this key. These parameters can be
! * specified in the form of a trusted <code>X509Certificate</code> or as
* individual parameters.
* <p>
* <b>Concurrent Access</b>
* <p>
! * <p>All <code>TrustAnchor</code> objects must be immutable and
* thread-safe. That is, multiple threads may concurrently invoke the
! * methods defined in this class on a single <code>TrustAnchor</code>
* object (or more than one) with no ill effects. Requiring
! * <code>TrustAnchor</code> objects to be immutable and thread-safe
* allows them to be passed around to various pieces of code without
* worrying about coordinating access. This stipulation applies to all
* public fields and methods of this class and any added or overridden
* by subclasses.
*
--- 38,57 ----
* <p>
* This class represents a "most-trusted CA", which is used as a trust anchor
* for validating X.509 certification paths. A most-trusted CA includes the
* public key of the CA, the CA's name, and any constraints upon the set of
* paths which may be validated using this key. These parameters can be
! * specified in the form of a trusted {@code X509Certificate} or as
* individual parameters.
* <p>
* <b>Concurrent Access</b>
* <p>
! * <p>All {@code TrustAnchor} objects must be immutable and
* thread-safe. That is, multiple threads may concurrently invoke the
! * methods defined in this class on a single {@code TrustAnchor}
* object (or more than one) with no ill effects. Requiring
! * {@code TrustAnchor} objects to be immutable and thread-safe
* allows them to be passed around to various pieces of code without
* worrying about coordinating access. This stipulation applies to all
* public fields and methods of this class and any added or overridden
* by subclasses.
*
*** 69,90 ****
private final X509Certificate trustedCert;
private byte[] ncBytes;
private NameConstraintsExtension nc;
/**
! * Creates an instance of <code>TrustAnchor</code> with the specified
! * <code>X509Certificate</code> and optional name constraints, which
* are intended to be used as additional constraints when validating
* an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
* should contain the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in
* <a href="http://www.ietf.org/rfc/rfc3280">RFC 3280</a>
* and X.509. The ASN.1 definition of this structure appears below.
*
! * <pre><code>
* NameConstraints ::= SEQUENCE {
* permittedSubtrees [0] GeneralSubtrees OPTIONAL,
* excludedSubtrees [1] GeneralSubtrees OPTIONAL }
*
* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
--- 69,90 ----
private final X509Certificate trustedCert;
private byte[] ncBytes;
private NameConstraintsExtension nc;
/**
! * Creates an instance of {@code TrustAnchor} with the specified
! * {@code X509Certificate} and optional name constraints, which
* are intended to be used as additional constraints when validating
* an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
* should contain the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in
* <a href="http://www.ietf.org/rfc/rfc3280">RFC 3280</a>
* and X.509. The ASN.1 definition of this structure appears below.
*
! * <pre>{@code
* NameConstraints ::= SEQUENCE {
* permittedSubtrees [0] GeneralSubtrees OPTIONAL,
* excludedSubtrees [1] GeneralSubtrees OPTIONAL }
*
* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
*** 104,127 ****
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER}
! * </code></pre>
* <p>
* Note that the name constraints byte array supplied is cloned to protect
* against subsequent modifications.
*
! * @param trustedCert a trusted <code>X509Certificate</code>
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify <code>null</code> to omit the parameter.
* @throws IllegalArgumentException if the name constraints cannot be
* decoded
* @throws NullPointerException if the specified
! * <code>X509Certificate</code> is <code>null</code>
*/
public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
{
if (trustedCert == null)
throw new NullPointerException("the trustedCert parameter must " +
--- 104,127 ----
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER}
! * }</pre>
* <p>
* Note that the name constraints byte array supplied is cloned to protect
* against subsequent modifications.
*
! * @param trustedCert a trusted {@code X509Certificate}
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify {@code null} to omit the parameter.
* @throws IllegalArgumentException if the name constraints cannot be
* decoded
* @throws NullPointerException if the specified
! * {@code X509Certificate} is {@code null}
*/
public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
{
if (trustedCert == null)
throw new NullPointerException("the trustedCert parameter must " +
*** 132,142 ****
this.caPrincipal = null;
setNameConstraints(nameConstraints);
}
/**
! * Creates an instance of <code>TrustAnchor</code> where the
* most-trusted CA is specified as an X500Principal and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
--- 132,142 ----
this.caPrincipal = null;
setNameConstraints(nameConstraints);
}
/**
! * Creates an instance of {@code TrustAnchor} where the
* most-trusted CA is specified as an X500Principal and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
*** 153,165 ****
* @param caPrincipal the name of the most-trusted CA as X500Principal
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify <code>null</code> to omit the parameter.
! * @throws NullPointerException if the specified <code>caPrincipal</code> or
! * <code>pubKey</code> parameter is <code>null</code>
* @since 1.5
*/
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
byte[] nameConstraints) {
if ((caPrincipal == null) || (pubKey == null)) {
--- 153,165 ----
* @param caPrincipal the name of the most-trusted CA as X500Principal
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify {@code null} to omit the parameter.
! * @throws NullPointerException if the specified {@code caPrincipal} or
! * {@code pubKey} parameter is {@code null}
* @since 1.5
*/
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
byte[] nameConstraints) {
if ((caPrincipal == null) || (pubKey == null)) {
*** 171,181 ****
this.pubKey = pubKey;
setNameConstraints(nameConstraints);
}
/**
! * Creates an instance of <code>TrustAnchor</code> where the
* most-trusted CA is specified as a distinguished name and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
--- 171,181 ----
this.pubKey = pubKey;
setNameConstraints(nameConstraints);
}
/**
! * Creates an instance of {@code TrustAnchor} where the
* most-trusted CA is specified as a distinguished name and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
*** 189,209 ****
* Note that the name constraints byte array supplied here is cloned to
* protect against subsequent modifications.
*
* @param caName the X.500 distinguished name of the most-trusted CA in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a>
! * <code>String</code> format
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify <code>null</code> to omit the parameter.
! * @throws IllegalArgumentException if the specified <code>
! * caName</code> parameter is empty <code>(caName.length() == 0)</code>
* or incorrectly formatted or the name constraints cannot be decoded
! * @throws NullPointerException if the specified <code>caName</code> or
! * <code>pubKey</code> parameter is <code>null</code>
*/
public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
{
if (pubKey == null)
throw new NullPointerException("the pubKey parameter must be " +
--- 189,209 ----
* Note that the name constraints byte array supplied here is cloned to
* protect against subsequent modifications.
*
* @param caName the X.500 distinguished name of the most-trusted CA in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a>
! * {@code String} format
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
! * flag. Specify {@code null} to omit the parameter.
! * @throws IllegalArgumentException if the specified
! * {@code caName} parameter is empty {@code (caName.length() == 0)}
* or incorrectly formatted or the name constraints cannot be decoded
! * @throws NullPointerException if the specified {@code caName} or
! * {@code pubKey} parameter is {@code null}
*/
public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
{
if (pubKey == null)
throw new NullPointerException("the pubKey parameter must be " +
*** 223,267 ****
}
/**
* Returns the most-trusted CA certificate.
*
! * @return a trusted <code>X509Certificate</code> or <code>null</code>
* if the trust anchor was not specified as a trusted certificate
*/
public final X509Certificate getTrustedCert() {
return this.trustedCert;
}
/**
* Returns the name of the most-trusted CA as an X500Principal.
*
* @return the X.500 distinguished name of the most-trusted CA, or
! * <code>null</code> if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
* @since 1.5
*/
public final X500Principal getCA() {
return this.caPrincipal;
}
/**
! * Returns the name of the most-trusted CA in RFC 2253 <code>String</code>
* format.
*
* @return the X.500 distinguished name of the most-trusted CA, or
! * <code>null</code> if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
*/
public final String getCAName() {
return this.caName;
}
/**
* Returns the public key of the most-trusted CA.
*
! * @return the public key of the most-trusted CA, or <code>null</code>
* if the trust anchor was not specified as a trusted public key and name
* or X500Principal pair
*/
public final PublicKey getCAPublicKey() {
return this.pubKey;
--- 223,267 ----
}
/**
* Returns the most-trusted CA certificate.
*
! * @return a trusted {@code X509Certificate} or {@code null}
* if the trust anchor was not specified as a trusted certificate
*/
public final X509Certificate getTrustedCert() {
return this.trustedCert;
}
/**
* Returns the name of the most-trusted CA as an X500Principal.
*
* @return the X.500 distinguished name of the most-trusted CA, or
! * {@code null} if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
* @since 1.5
*/
public final X500Principal getCA() {
return this.caPrincipal;
}
/**
! * Returns the name of the most-trusted CA in RFC 2253 {@code String}
* format.
*
* @return the X.500 distinguished name of the most-trusted CA, or
! * {@code null} if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
*/
public final String getCAName() {
return this.caName;
}
/**
* Returns the public key of the most-trusted CA.
*
! * @return the public key of the most-trusted CA, or {@code null}
* if the trust anchor was not specified as a trusted public key and name
* or X500Principal pair
*/
public final PublicKey getCAPublicKey() {
return this.pubKey;
*** 304,323 ****
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
*
* @return a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension used for checking name constraints,
! * or <code>null</code> if not set.
*/
public final byte [] getNameConstraints() {
return ncBytes == null ? null : ncBytes.clone();
}
/**
! * Returns a formatted string describing the <code>TrustAnchor</code>.
*
! * @return a formatted string describing the <code>TrustAnchor</code>
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("[\n");
if (pubKey != null) {
--- 304,323 ----
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
*
* @return a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension used for checking name constraints,
! * or {@code null} if not set.
*/
public final byte [] getNameConstraints() {
return ncBytes == null ? null : ncBytes.clone();
}
/**
! * Returns a formatted string describing the {@code TrustAnchor}.
*
! * @return a formatted string describing the {@code TrustAnchor}
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("[\n");
if (pubKey != null) {