1 /*
   2  * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 
  27 package javax.security.cert;
  28 
  29 import java.io.InputStream;
  30 import java.lang.Class;
  31 import java.lang.reflect.Constructor;
  32 import java.lang.reflect.InvocationTargetException;
  33 import java.security.Security;
  34 
  35 import java.math.BigInteger;
  36 import java.security.AccessController;
  37 import java.security.Principal;
  38 import java.security.PrivilegedAction;
  39 import java.security.PublicKey;
  40 import java.util.BitSet;
  41 import java.util.Date;
  42 
  43 /**
  44  * Abstract class for X.509 v1 certificates. This provides a standard
  45  * way to access all the version 1 attributes of an X.509 certificate.
  46  * Attributes that are specific to X.509 v2 or v3 are not available
  47  * through this interface. Future API evolution will provide full access to
  48  * complete X.509 v3 attributes.
  49  * <p>
  50  * The basic X.509 format was defined by
  51  * ISO/IEC and ANSI X9 and is described below in ASN.1:
  52  * <pre>
  53  * Certificate  ::=  SEQUENCE  {
  54  *     tbsCertificate       TBSCertificate,
  55  *     signatureAlgorithm   AlgorithmIdentifier,
  56  *     signature            BIT STRING  }
  57  * </pre>
  58  * <p>
  59  * These certificates are widely used to support authentication and
  60  * other functionality in Internet security systems. Common applications
  61  * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
  62  * code signing for trusted software distribution, and Secure Electronic
  63  * Transactions (SET).
  64  * <p>
  65  * These certificates are managed and vouched for by <em>Certificate
  66  * Authorities</em> (CAs). CAs are services which create certificates by
  67  * placing data in the X.509 standard format and then digitally signing
  68  * that data. CAs act as trusted third parties, making introductions
  69  * between principals who have no direct knowledge of each other.
  70  * CA certificates are either signed by themselves, or by some other
  71  * CA such as a "root" CA.
  72  * <p>
  73  * The ASN.1 definition of {@code tbsCertificate} is:
  74  * <pre>
  75  * TBSCertificate  ::=  SEQUENCE  {
  76  *     version         [0]  EXPLICIT Version DEFAULT v1,
  77  *     serialNumber         CertificateSerialNumber,
  78  *     signature            AlgorithmIdentifier,
  79  *     issuer               Name,
  80  *     validity             Validity,
  81  *     subject              Name,
  82  *     subjectPublicKeyInfo SubjectPublicKeyInfo,
  83  *     }
  84  * </pre>
  85  * <p>
  86  * Here is sample code to instantiate an X.509 certificate:
  87  * <pre>
  88  * InputStream inStream = new FileInputStream("fileName-of-cert");
  89  * X509Certificate cert = X509Certificate.getInstance(inStream);
  90  * inStream.close();
  91  * </pre>
  92  * OR
  93  * <pre>
  94  * byte[] certData = &lt;certificate read from a file, say&gt;
  95  * X509Certificate cert = X509Certificate.getInstance(certData);
  96  * </pre>
  97  * <p>
  98  * In either case, the code that instantiates an X.509 certificate
  99  * consults the value of the {@code cert.provider.x509v1} security property
 100  * to locate the actual implementation or instantiates a default implementation.
 101  * <p>
 102  * The {@code cert.provider.x509v1} property is set to a default
 103  * implementation for X.509 such as:
 104  * <pre>
 105  * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl
 106  * </pre>
 107  * <p>
 108  * The value of this {@code cert.provider.x509v1} property has to be
 109  * changed to instantiate another implementation. If this security
 110  * property is not set, a default implementation will be used.
 111  * Currently, due to possible security restrictions on access to
 112  * Security properties, this value is looked up and cached at class
 113  * initialization time and will fallback on a default implementation if
 114  * the Security property is not accessible.
 115  *
 116  * <p><em>Note: The classes in the package {@code javax.security.cert}
 117  * exist for compatibility with earlier versions of the
 118  * Java Secure Sockets Extension (JSSE). New applications should instead
 119  * use the standard Java SE certificate classes located in
 120  * {@code java.security.cert}.</em></p>
 121  *
 122  * @author Hemma Prafullchandra
 123  * @since 1.4
 124  * @see Certificate
 125  * @see java.security.cert.X509Extension
 126  * @see java.security.Security security properties
 127  * @deprecated Use the classes in {@code java.security.cert} instead.
 128  */
 129 @SuppressWarnings("removal")
 130 @Deprecated(since="9", forRemoval=true)
 131 public abstract class X509Certificate extends Certificate {
 132 
 133     /**
 134      * Constant to lookup in the Security properties file.
 135      * In the Security properties file the default implementation
 136      * for X.509 v3 is given as:
 137      * <pre>
 138      * cert.provider.x509v1=com.sun.security.cert.internal.x509.X509V1CertImpl
 139      * </pre>
 140      */
 141     private static final String X509_PROVIDER = "cert.provider.x509v1";
 142     private static String X509Provider;
 143 
 144     static {
 145         X509Provider = AccessController.doPrivileged(
 146             new PrivilegedAction<>() {
 147                 public String run() {
 148                     return Security.getProperty(X509_PROVIDER);
 149                 }
 150             }
 151         );
 152     }
 153 
 154     /**
 155      * Instantiates an X509Certificate object, and initializes it with
 156      * the data read from the input stream {@code inStream}.
 157      * The implementation (X509Certificate is an abstract class) is
 158      * provided by the class specified as the value of the
 159      * {@code cert.provider.x509v1} security property.
 160      *
 161      * <p>Note: Only one DER-encoded
 162      * certificate is expected to be in the input stream.
 163      * Also, all X509Certificate
 164      * subclasses must provide a constructor of the form:
 165      * <pre>{@code
 166      * public <subClass>(InputStream inStream) ...
 167      * }</pre>
 168      *
 169      * @param inStream an input stream with the data to be read to
 170      *        initialize the certificate.
 171      * @return an X509Certificate object initialized with the data
 172      *         from the input stream.
 173      * @exception CertificateException if a class initialization
 174      *            or certificate parsing error occurs.
 175      */
 176     public static final X509Certificate getInstance(InputStream inStream)
 177     throws CertificateException {
 178         return getInst((Object)inStream);
 179     }
 180 
 181     /**
 182      * Instantiates an X509Certificate object, and initializes it with
 183      * the specified byte array.
 184      * The implementation (X509Certificate is an abstract class) is
 185      * provided by the class specified as the value of the
 186      * {@code cert.provider.x509v1} security property.
 187      *
 188      * <p>Note: All X509Certificate
 189      * subclasses must provide a constructor of the form:
 190      * <pre>{@code
 191      * public <subClass>(InputStream inStream) ...
 192      * }</pre>
 193      *
 194      * @param certData a byte array containing the DER-encoded
 195      *        certificate.
 196      * @return an X509Certificate object initialized with the data
 197      *         from {@code certData}.
 198      * @exception CertificateException if a class initialization
 199      *            or certificate parsing error occurs.
 200      */
 201     public static final X509Certificate getInstance(byte[] certData)
 202     throws CertificateException {
 203         return getInst((Object)certData);
 204     }
 205 
 206     private static final X509Certificate getInst(Object value)
 207     throws CertificateException {
 208         /*
 209          * This turns out not to work for now. To run under JDK1.2 we would
 210          * need to call beginPrivileged() but we can't do that and run
 211          * under JDK1.1.
 212          */
 213         String className = X509Provider;
 214         if (className == null || className.isEmpty()) {
 215             // shouldn't happen, but assume corrupted properties file
 216             // provide access to sun implementation
 217             className = "com.sun.security.cert.internal.x509.X509V1CertImpl";
 218         }
 219         try {
 220             Class<?>[] params = null;
 221             if (value instanceof InputStream) {
 222                 params = new Class<?>[] { InputStream.class };
 223             } else if (value instanceof byte[]) {
 224                 params = new Class<?>[] { value.getClass() };
 225             } else
 226                 throw new CertificateException("Unsupported argument type");
 227             Class<?> certClass = Class.forName(className);
 228 
 229             // get the appropriate constructor and instantiate it
 230             Constructor<?> cons = certClass.getConstructor(params);
 231 
 232             // get a new instance
 233             Object obj = cons.newInstance(new Object[] {value});
 234             return (X509Certificate)obj;
 235 
 236         } catch (ClassNotFoundException e) {
 237           throw new CertificateException("Could not find class: " + e);
 238         } catch (IllegalAccessException e) {
 239           throw new CertificateException("Could not access class: " + e);
 240         } catch (InstantiationException e) {
 241           throw new CertificateException("Problems instantiating: " + e);
 242         } catch (InvocationTargetException e) {
 243           throw new CertificateException("InvocationTargetException: "
 244                                          + e.getTargetException());
 245         } catch (NoSuchMethodException e) {
 246           throw new CertificateException("Could not find class method: "
 247                                           + e.getMessage());
 248         }
 249     }
 250 
 251     /**
 252      * Checks that the certificate is currently valid. It is if
 253      * the current date and time are within the validity period given in the
 254      * certificate.
 255      * <p>
 256      * The validity period consists of two date/time values:
 257      * the first and last dates (and times) on which the certificate
 258      * is valid. It is defined in
 259      * ASN.1 as:
 260      * <pre>
 261      * validity             Validity
 262      *
 263      * Validity ::= SEQUENCE {
 264      *     notBefore      CertificateValidityDate,
 265      *     notAfter       CertificateValidityDate }
 266      *
 267      * CertificateValidityDate ::= CHOICE {
 268      *     utcTime        UTCTime,
 269      *     generalTime    GeneralizedTime }
 270      * </pre>
 271      *
 272      * @exception CertificateExpiredException if the certificate has expired.
 273      * @exception CertificateNotYetValidException if the certificate is not
 274      *            yet valid.
 275      */
 276     public abstract void checkValidity()
 277         throws CertificateExpiredException, CertificateNotYetValidException;
 278 
 279     /**
 280      * Checks that the specified date is within the certificate's
 281      * validity period. In other words, this determines whether the
 282      * certificate would be valid at the specified date/time.
 283      *
 284      * @param date the Date to check against to see if this certificate
 285      *        is valid at that date/time.
 286      * @exception CertificateExpiredException if the certificate has expired
 287      *            with respect to the {@code date} supplied.
 288      * @exception CertificateNotYetValidException if the certificate is not
 289      *            yet valid with respect to the {@code date} supplied.
 290      * @see #checkValidity()
 291      */
 292     public abstract void checkValidity(Date date)
 293         throws CertificateExpiredException, CertificateNotYetValidException;
 294 
 295     /**
 296      * Gets the {@code version} (version number) value from the
 297      * certificate. The ASN.1 definition for this is:
 298      * <pre>
 299      * version         [0]  EXPLICIT Version DEFAULT v1
 300      *
 301      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 302      * </pre>
 303      *
 304      * @return the version number from the ASN.1 encoding, i.e. 0, 1 or 2.
 305      */
 306     public abstract int getVersion();
 307 
 308     /**
 309      * Gets the {@code serialNumber} value from the certificate.
 310      * The serial number is an integer assigned by the certification
 311      * authority to each certificate. It must be unique for each
 312      * certificate issued by a given CA (i.e., the issuer name and
 313      * serial number identify a unique certificate).
 314      * The ASN.1 definition for this is:
 315      * <pre>
 316      * serialNumber     CertificateSerialNumber
 317      *
 318      * CertificateSerialNumber  ::=  INTEGER
 319      * </pre>
 320      *
 321      * @return the serial number.
 322      */
 323     public abstract BigInteger getSerialNumber();
 324 
 325     /**
 326      * Gets the {@code issuer} (issuer distinguished name) value from
 327      * the certificate. The issuer name identifies the entity that signed (and
 328      * issued) the certificate.
 329      *
 330      * <p>The issuer name field contains an
 331      * X.500 distinguished name (DN).
 332      * The ASN.1 definition for this is:
 333      * <pre>
 334      * issuer    Name
 335      *
 336      * Name ::= CHOICE { RDNSequence }
 337      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 338      * RelativeDistinguishedName ::=
 339      *     SET OF AttributeValueAssertion
 340      *
 341      * AttributeValueAssertion ::= SEQUENCE {
 342      *                               AttributeType,
 343      *                               AttributeValue }
 344      * AttributeType ::= OBJECT IDENTIFIER
 345      * AttributeValue ::= ANY
 346      * </pre>
 347      * The {@code Name} describes a hierarchical name composed of
 348      * attributes, such as country name, and corresponding values, such as US.
 349      * The type of the {@code AttributeValue} component is determined by
 350      * the {@code AttributeType}; in general it will be a
 351      * {@code directoryString}. A {@code directoryString} is usually
 352      * one of {@code PrintableString},
 353      * {@code TeletexString} or {@code UniversalString}.
 354      *
 355      * @return a Principal whose name is the issuer distinguished name.
 356      */
 357     public abstract Principal getIssuerDN();
 358 
 359     /**
 360      * Gets the {@code subject} (subject distinguished name) value
 361      * from the certificate.
 362      * The ASN.1 definition for this is:
 363      * <pre>
 364      * subject    Name
 365      * </pre>
 366      *
 367      * <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
 368      * and other relevant definitions.
 369      *
 370      * @return a Principal whose name is the subject name.
 371      * @see #getIssuerDN()
 372      */
 373     public abstract Principal getSubjectDN();
 374 
 375     /**
 376      * Gets the {@code notBefore} date from the validity period of
 377      * the certificate.
 378      * The relevant ASN.1 definitions are:
 379      * <pre>
 380      * validity             Validity
 381      *
 382      * Validity ::= SEQUENCE {
 383      *     notBefore      CertificateValidityDate,
 384      *     notAfter       CertificateValidityDate }
 385      *
 386      * CertificateValidityDate ::= CHOICE {
 387      *     utcTime        UTCTime,
 388      *     generalTime    GeneralizedTime }
 389      * </pre>
 390      *
 391      * @return the start date of the validity period.
 392      * @see #checkValidity()
 393      */
 394     public abstract Date getNotBefore();
 395 
 396     /**
 397      * Gets the {@code notAfter} date from the validity period of
 398      * the certificate. See {@link #getNotBefore() getNotBefore}
 399      * for relevant ASN.1 definitions.
 400      *
 401      * @return the end date of the validity period.
 402      * @see #checkValidity()
 403      */
 404     public abstract Date getNotAfter();
 405 
 406     /**
 407      * Gets the signature algorithm name for the certificate
 408      * signature algorithm. An example is the string "SHA-1/DSA".
 409      * The ASN.1 definition for this is:
 410      * <pre>
 411      * signatureAlgorithm   AlgorithmIdentifier
 412      *
 413      * AlgorithmIdentifier  ::=  SEQUENCE  {
 414      *     algorithm               OBJECT IDENTIFIER,
 415      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }
 416      *                             -- contains a value of the type
 417      *                             -- registered for use with the
 418      *                             -- algorithm object identifier value
 419      * </pre>
 420      *
 421      * <p>The algorithm name is determined from the {@code algorithm}
 422      * OID string.
 423      *
 424      * @return the signature algorithm name.
 425      */
 426     public abstract String getSigAlgName();
 427 
 428     /**
 429      * Gets the signature algorithm OID string from the certificate.
 430      * An OID is represented by a set of positive whole numbers separated
 431      * by periods.
 432      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
 433      * with DSA signature algorithm, as per the PKIX part I.
 434      *
 435      * <p>See {@link #getSigAlgName() getSigAlgName} for
 436      * relevant ASN.1 definitions.
 437      *
 438      * @return the signature algorithm OID string.
 439      */
 440     public abstract String getSigAlgOID();
 441 
 442     /**
 443      * Gets the DER-encoded signature algorithm parameters from this
 444      * certificate's signature algorithm. In most cases, the signature
 445      * algorithm parameters are null; the parameters are usually
 446      * supplied with the certificate's public key.
 447      *
 448      * <p>See {@link #getSigAlgName() getSigAlgName} for
 449      * relevant ASN.1 definitions.
 450      *
 451      * @return the DER-encoded signature algorithm parameters, or
 452      *         null if no parameters are present.
 453      */
 454     public abstract byte[] getSigAlgParams();
 455 }