1 /*
2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.cert.*;
38 import java.security.cert.Certificate;
39 import java.util.*;
40
41 import javax.security.auth.x500.X500Principal;
42
43 import sun.misc.HexDumpEncoder;
44 import sun.misc.BASE64Decoder;
45 import sun.security.util.*;
46 import sun.security.provider.X509Factory;
47
48 /**
49 * The X509CertImpl class represents an X.509 certificate. These certificates
50 * are widely used to support authentication and other functionality in
51 * Internet security systems. Common applications include Privacy Enhanced
52 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
53 * software distribution, and Secure Electronic Transactions (SET). There
54 * is a commercial infrastructure ready to manage large scale deployments
55 * of X.509 identity certificates.
56 *
57 * <P>These certificates are managed and vouched for by <em>Certificate
58 * Authorities</em> (CAs). CAs are services which create certificates by
59 * placing data in the X.509 standard format and then digitally signing
60 * that data. Such signatures are quite difficult to forge. CAs act as
61 * trusted third parties, making introductions between agents who have no
62 * direct knowledge of each other. CA certificates are either signed by
63 * themselves, or by some other CA such as a "root" CA.
64 *
65 * <P>RFC 1422 is very informative, though it does not describe much
66 * of the recent work being done with X.509 certificates. That includes
67 * a 1996 version (X.509v3) and a variety of enhancements being made to
68 * facilitate an explosion of personal certificates used as "Internet
69 * Drivers' Licences", or with SET for credit card transactions.
70 *
71 * <P>More recent work includes the IETF PKIX Working Group efforts,
72 * especially RFC2459.
73 *
74 * @author Dave Brownell
75 * @author Amit Kapoor
76 * @author Hemma Prafullchandra
77 * @see X509CertInfo
78 */
79 public class X509CertImpl extends X509Certificate implements DerEncoder {
80
81 private static final long serialVersionUID = -3457612960190864406L;
82
83 private static final String DOT = ".";
84 /**
85 * Public attribute names.
86 */
87 public static final String NAME = "x509";
88 public static final String INFO = X509CertInfo.NAME;
89 public static final String ALG_ID = "algorithm";
90 public static final String SIGNATURE = "signature";
91 public static final String SIGNED_CERT = "signed_cert";
92
93 /**
94 * The following are defined for ease-of-use. These
95 * are the most frequently retrieved attributes.
96 */
97 // x509.info.subject.dname
98 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
99 X509CertInfo.SUBJECT + DOT +
100 CertificateSubjectName.DN_NAME;
101 // x509.info.issuer.dname
102 public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
103 X509CertInfo.ISSUER + DOT +
104 CertificateIssuerName.DN_NAME;
105 // x509.info.serialNumber.number
106 public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
107 X509CertInfo.SERIAL_NUMBER + DOT +
108 CertificateSerialNumber.NUMBER;
109 // x509.info.key.value
110 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
111 X509CertInfo.KEY + DOT +
112 CertificateX509Key.KEY;
113
114 // x509.info.version.value
115 public static final String VERSION = NAME + DOT + INFO + DOT +
116 X509CertInfo.VERSION + DOT +
117 CertificateVersion.VERSION;
118
119 // x509.algorithm
120 public static final String SIG_ALG = NAME + DOT + ALG_ID;
121
122 // x509.signature
123 public static final String SIG = NAME + DOT + SIGNATURE;
124
125 // when we sign and decode we set this to true
126 // this is our means to make certificates immutable
127 private boolean readOnly = false;
128
129 // Certificate data, and its envelope
130 private byte[] signedCert = null;
131 protected X509CertInfo info = null;
132 protected AlgorithmId algId = null;
133 protected byte[] signature = null;
134
135 // recognized extension OIDS
136 private static final String KEY_USAGE_OID = "2.5.29.15";
137 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
138 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
139 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
140 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
141 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
142
143 // number of standard key usage bits.
144 private static final int NUM_STANDARD_KEY_USAGE = 9;
145
146 // SubjectAlterntativeNames cache
147 private Collection<List<?>> subjectAlternativeNames;
148
149 // IssuerAlternativeNames cache
150 private Collection<List<?>> issuerAlternativeNames;
151
152 // ExtendedKeyUsage cache
153 private List<String> extKeyUsage;
154
155 // AuthorityInformationAccess cache
156 private Set<AccessDescription> authInfoAccess;
157
158 /**
159 * PublicKey that has previously been used to verify
160 * the signature of this certificate. Null if the certificate has not
161 * yet been verified.
162 */
163 private PublicKey verifiedPublicKey;
164 /**
165 * If verifiedPublicKey is not null, name of the provider used to
166 * successfully verify the signature of this certificate, or the
167 * empty String if no provider was explicitly specified.
168 */
169 private String verifiedProvider;
170 /**
171 * If verifiedPublicKey is not null, result of the verification using
172 * verifiedPublicKey and verifiedProvider. If true, verification was
173 * successful, if false, it failed.
174 */
175 private boolean verificationResult;
176
177 // Cached SKID
178 private byte[] subjectKeyId = null;
179
180 // Cached AKID
181 private byte[] issuerKeyId = null;
182
183 /**
184 * Default constructor.
185 */
186 public X509CertImpl() { }
187
188 /**
189 * Unmarshals a certificate from its encoded form, parsing the
190 * encoded bytes. This form of constructor is used by agents which
191 * need to examine and use certificate contents. That is, this is
192 * one of the more commonly used constructors. Note that the buffer
193 * must include only a certificate, and no "garbage" may be left at
194 * the end. If you need to ignore data at the end of a certificate,
195 * use another constructor.
196 *
197 * @param certData the encoded bytes, with no trailing padding.
198 * @exception CertificateException on parsing and initialization errors.
199 */
200 public X509CertImpl(byte[] certData) throws CertificateException {
201 try {
202 parse(new DerValue(certData));
203 } catch (IOException e) {
204 signedCert = null;
205 throw new CertificateException("Unable to initialize, " + e, e);
206 }
207 }
208
209 /**
210 * unmarshals an X.509 certificate from an input stream. If the
211 * certificate is RFC1421 hex-encoded, then it must begin with
212 * the line X509Factory.BEGIN_CERT and end with the line
213 * X509Factory.END_CERT.
214 *
215 * @param in an input stream holding at least one certificate that may
216 * be either DER-encoded or RFC1421 hex-encoded version of the
217 * DER-encoded certificate.
218 * @exception CertificateException on parsing and initialization errors.
219 */
220 public X509CertImpl(InputStream in) throws CertificateException {
221
222 DerValue der = null;
223
224 BufferedInputStream inBuffered = new BufferedInputStream(in);
225
226 // First try reading stream as HEX-encoded DER-encoded bytes,
227 // since not mistakable for raw DER
228 try {
229 inBuffered.mark(Integer.MAX_VALUE);
230 der = readRFC1421Cert(inBuffered);
231 } catch (IOException ioe) {
232 try {
233 // Next, try reading stream as raw DER-encoded bytes
234 inBuffered.reset();
235 der = new DerValue(inBuffered);
236 } catch (IOException ioe1) {
237 throw new CertificateException("Input stream must be " +
238 "either DER-encoded bytes " +
239 "or RFC1421 hex-encoded " +
240 "DER-encoded bytes: " +
241 ioe1.getMessage(), ioe1);
242 }
243 }
244 try {
245 parse(der);
246 } catch (IOException ioe) {
247 signedCert = null;
248 throw new CertificateException("Unable to parse DER value of " +
249 "certificate, " + ioe, ioe);
250 }
251 }
252
253 /**
254 * read input stream as HEX-encoded DER-encoded bytes
255 *
256 * @param in InputStream to read
257 * @returns DerValue corresponding to decoded HEX-encoded bytes
258 * @throws IOException if stream can not be interpreted as RFC1421
259 * encoded bytes
260 */
261 private DerValue readRFC1421Cert(InputStream in) throws IOException {
262 DerValue der = null;
263 String line = null;
264 BufferedReader certBufferedReader =
265 new BufferedReader(new InputStreamReader(in, "ASCII"));
266 try {
267 line = certBufferedReader.readLine();
268 } catch (IOException ioe1) {
269 throw new IOException("Unable to read InputStream: " +
270 ioe1.getMessage());
271 }
272 if (line.equals(X509Factory.BEGIN_CERT)) {
273 /* stream appears to be hex-encoded bytes */
274 BASE64Decoder decoder = new BASE64Decoder();
275 ByteArrayOutputStream decstream = new ByteArrayOutputStream();
276 try {
277 while ((line = certBufferedReader.readLine()) != null) {
278 if (line.equals(X509Factory.END_CERT)) {
279 der = new DerValue(decstream.toByteArray());
280 break;
281 } else {
282 decstream.write(decoder.decodeBuffer(line));
283 }
284 }
285 } catch (IOException ioe2) {
286 throw new IOException("Unable to read InputStream: "
287 + ioe2.getMessage());
288 }
289 } else {
290 throw new IOException("InputStream is not RFC1421 hex-encoded " +
291 "DER bytes");
292 }
293 return der;
294 }
295
296 /**
297 * Construct an initialized X509 Certificate. The certificate is stored
298 * in raw form and has to be signed to be useful.
299 *
300 * @params info the X509CertificateInfo which the Certificate is to be
301 * created from.
302 */
303 public X509CertImpl(X509CertInfo certInfo) {
304 this.info = certInfo;
305 }
306
307 /**
308 * Unmarshal a certificate from its encoded form, parsing a DER value.
309 * This form of constructor is used by agents which need to examine
310 * and use certificate contents.
311 *
312 * @param derVal the der value containing the encoded cert.
313 * @exception CertificateException on parsing and initialization errors.
314 */
315 public X509CertImpl(DerValue derVal) throws CertificateException {
316 try {
317 parse(derVal);
318 } catch (IOException e) {
319 signedCert = null;
320 throw new CertificateException("Unable to initialize, " + e, e);
321 }
322 }
323
324 /**
325 * Appends the certificate to an output stream.
326 *
327 * @param out an input stream to which the certificate is appended.
328 * @exception CertificateEncodingException on encoding errors.
329 */
330 public void encode(OutputStream out)
331 throws CertificateEncodingException {
332 if (signedCert == null)
333 throw new CertificateEncodingException(
334 "Null certificate to encode");
335 try {
336 out.write(signedCert.clone());
337 } catch (IOException e) {
338 throw new CertificateEncodingException(e.toString());
339 }
340 }
341
342 /**
343 * DER encode this object onto an output stream.
344 * Implements the <code>DerEncoder</code> interface.
345 *
346 * @param out the output stream on which to write the DER encoding.
347 *
348 * @exception IOException on encoding error.
349 */
350 public void derEncode(OutputStream out) throws IOException {
351 if (signedCert == null)
352 throw new IOException("Null certificate to encode");
353 out.write(signedCert.clone());
354 }
355
356 /**
357 * Returns the encoded form of this certificate. It is
358 * assumed that each certificate type would have only a single
359 * form of encoding; for example, X.509 certificates would
360 * be encoded as ASN.1 DER.
361 *
362 * @exception CertificateEncodingException if an encoding error occurs.
363 */
364 public byte[] getEncoded() throws CertificateEncodingException {
365 return getEncodedInternal().clone();
366 }
367
368 /**
369 * Returned the encoding as an uncloned byte array. Callers must
370 * guarantee that they neither modify it nor expose it to untrusted
371 * code.
372 */
373 public byte[] getEncodedInternal() throws CertificateEncodingException {
374 if (signedCert == null) {
375 throw new CertificateEncodingException(
376 "Null certificate to encode");
377 }
378 return signedCert;
379 }
380
381 /**
382 * Throws an exception if the certificate was not signed using the
383 * verification key provided. Successfully verifying a certificate
384 * does <em>not</em> indicate that one should trust the entity which
385 * it represents.
386 *
387 * @param key the public key used for verification.
388 *
389 * @exception InvalidKeyException on incorrect key.
390 * @exception NoSuchAlgorithmException on unsupported signature
391 * algorithms.
392 * @exception NoSuchProviderException if there's no default provider.
393 * @exception SignatureException on signature errors.
394 * @exception CertificateException on encoding errors.
395 */
396 public void verify(PublicKey key)
397 throws CertificateException, NoSuchAlgorithmException,
398 InvalidKeyException, NoSuchProviderException, SignatureException {
399
400 verify(key, "");
401 }
402
403 /**
404 * Throws an exception if the certificate was not signed using the
405 * verification key provided. Successfully verifying a certificate
406 * does <em>not</em> indicate that one should trust the entity which
407 * it represents.
408 *
409 * @param key the public key used for verification.
410 * @param sigProvider the name of the provider.
411 *
412 * @exception NoSuchAlgorithmException on unsupported signature
413 * algorithms.
414 * @exception InvalidKeyException on incorrect key.
415 * @exception NoSuchProviderException on incorrect provider.
416 * @exception SignatureException on signature errors.
417 * @exception CertificateException on encoding errors.
418 */
419 public synchronized void verify(PublicKey key, String sigProvider)
420 throws CertificateException, NoSuchAlgorithmException,
421 InvalidKeyException, NoSuchProviderException, SignatureException {
422 if (sigProvider == null) {
423 sigProvider = "";
424 }
425 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
426 // this certificate has already been verified using
427 // this public key. Make sure providers match, too.
428 if (sigProvider.equals(verifiedProvider)) {
429 if (verificationResult) {
430 return;
431 } else {
432 throw new SignatureException("Signature does not match.");
433 }
434 }
435 }
436 if (signedCert == null) {
437 throw new CertificateEncodingException("Uninitialized certificate");
438 }
439 // Verify the signature ...
440 Signature sigVerf = null;
441 if (sigProvider.length() == 0) {
442 sigVerf = Signature.getInstance(algId.getName());
443 } else {
444 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
445 }
446 sigVerf.initVerify(key);
447
448 byte[] rawCert = info.getEncodedInfo();
449 sigVerf.update(rawCert, 0, rawCert.length);
450
451 // verify may throw SignatureException for invalid encodings, etc.
452 verificationResult = sigVerf.verify(signature);
453 verifiedPublicKey = key;
454 verifiedProvider = sigProvider;
455
456 if (verificationResult == false) {
457 throw new SignatureException("Signature does not match.");
458 }
459 }
460
461 /**
462 * Creates an X.509 certificate, and signs it using the given key
463 * (associating a signature algorithm and an X.500 name).
464 * This operation is used to implement the certificate generation
465 * functionality of a certificate authority.
466 *
467 * @param key the private key used for signing.
468 * @param algorithm the name of the signature algorithm used.
469 *
470 * @exception InvalidKeyException on incorrect key.
471 * @exception NoSuchAlgorithmException on unsupported signature
472 * algorithms.
473 * @exception NoSuchProviderException if there's no default provider.
474 * @exception SignatureException on signature errors.
475 * @exception CertificateException on encoding errors.
476 */
477 public void sign(PrivateKey key, String algorithm)
478 throws CertificateException, NoSuchAlgorithmException,
479 InvalidKeyException, NoSuchProviderException, SignatureException {
480 sign(key, algorithm, null);
481 }
482
483 /**
484 * Creates an X.509 certificate, and signs it using the given key
485 * (associating a signature algorithm and an X.500 name).
486 * This operation is used to implement the certificate generation
487 * functionality of a certificate authority.
488 *
489 * @param key the private key used for signing.
490 * @param algorithm the name of the signature algorithm used.
491 * @param provider the name of the provider.
492 *
493 * @exception NoSuchAlgorithmException on unsupported signature
494 * algorithms.
495 * @exception InvalidKeyException on incorrect key.
496 * @exception NoSuchProviderException on incorrect provider.
497 * @exception SignatureException on signature errors.
498 * @exception CertificateException on encoding errors.
499 */
500 public void sign(PrivateKey key, String algorithm, String provider)
501 throws CertificateException, NoSuchAlgorithmException,
502 InvalidKeyException, NoSuchProviderException, SignatureException {
503 try {
504 if (readOnly)
505 throw new CertificateEncodingException(
506 "cannot over-write existing certificate");
507 Signature sigEngine = null;
508 if ((provider == null) || (provider.length() == 0))
509 sigEngine = Signature.getInstance(algorithm);
510 else
511 sigEngine = Signature.getInstance(algorithm, provider);
512
513 sigEngine.initSign(key);
514
515 // in case the name is reset
516 algId = AlgorithmId.get(sigEngine.getAlgorithm());
517
518 DerOutputStream out = new DerOutputStream();
519 DerOutputStream tmp = new DerOutputStream();
520
521 // encode certificate info
522 info.encode(tmp);
523 byte[] rawCert = tmp.toByteArray();
524
525 // encode algorithm identifier
526 algId.encode(tmp);
527
528 // Create and encode the signature itself.
529 sigEngine.update(rawCert, 0, rawCert.length);
530 signature = sigEngine.sign();
531 tmp.putBitString(signature);
532
533 // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
534 out.write(DerValue.tag_Sequence, tmp);
535 signedCert = out.toByteArray();
536 readOnly = true;
537
538 } catch (IOException e) {
539 throw new CertificateEncodingException(e.toString());
540 }
541 }
542
543 /**
544 * Checks that the certificate is currently valid, i.e. the current
545 * time is within the specified validity period.
546 *
547 * @exception CertificateExpiredException if the certificate has expired.
548 * @exception CertificateNotYetValidException if the certificate is not
549 * yet valid.
550 */
551 public void checkValidity()
552 throws CertificateExpiredException, CertificateNotYetValidException {
553 Date date = new Date();
554 checkValidity(date);
555 }
556
557 /**
558 * Checks that the specified date is within the certificate's
559 * validity period, or basically if the certificate would be
560 * valid at the specified date/time.
561 *
562 * @param date the Date to check against to see if this certificate
563 * is valid at that date/time.
564 *
565 * @exception CertificateExpiredException if the certificate has expired
566 * with respect to the <code>date</code> supplied.
567 * @exception CertificateNotYetValidException if the certificate is not
568 * yet valid with respect to the <code>date</code> supplied.
569 */
570 public void checkValidity(Date date)
571 throws CertificateExpiredException, CertificateNotYetValidException {
572
573 CertificateValidity interval = null;
574 try {
575 interval = (CertificateValidity)info.get(CertificateValidity.NAME);
576 } catch (Exception e) {
577 throw new CertificateNotYetValidException("Incorrect validity period");
578 }
579 if (interval == null)
580 throw new CertificateNotYetValidException("Null validity period");
581 interval.valid(date);
582 }
583
584 /**
585 * Return the requested attribute from the certificate.
586 *
587 * Note that the X509CertInfo is not cloned for performance reasons.
588 * Callers must ensure that they do not modify it. All other
589 * attributes are cloned.
590 *
591 * @param name the name of the attribute.
592 * @exception CertificateParsingException on invalid attribute identifier.
593 */
594 public Object get(String name)
595 throws CertificateParsingException {
596 X509AttributeName attr = new X509AttributeName(name);
597 String id = attr.getPrefix();
598 if (!(id.equalsIgnoreCase(NAME))) {
599 throw new CertificateParsingException("Invalid root of "
600 + "attribute name, expected [" + NAME +
601 "], received " + "[" + id + "]");
602 }
603 attr = new X509AttributeName(attr.getSuffix());
604 id = attr.getPrefix();
605
606 if (id.equalsIgnoreCase(INFO)) {
607 if (info == null) {
608 return null;
609 }
610 if (attr.getSuffix() != null) {
611 try {
612 return info.get(attr.getSuffix());
613 } catch (IOException e) {
614 throw new CertificateParsingException(e.toString());
615 } catch (CertificateException e) {
616 throw new CertificateParsingException(e.toString());
617 }
618 } else {
619 return info;
620 }
621 } else if (id.equalsIgnoreCase(ALG_ID)) {
622 return(algId);
623 } else if (id.equalsIgnoreCase(SIGNATURE)) {
624 if (signature != null)
625 return signature.clone();
626 else
627 return null;
628 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
629 if (signedCert != null)
630 return signedCert.clone();
631 else
632 return null;
633 } else {
634 throw new CertificateParsingException("Attribute name not "
635 + "recognized or get() not allowed for the same: " + id);
636 }
637 }
638
639 /**
640 * Set the requested attribute in the certificate.
641 *
642 * @param name the name of the attribute.
643 * @param obj the value of the attribute.
644 * @exception CertificateException on invalid attribute identifier.
645 * @exception IOException on encoding error of attribute.
646 */
647 public void set(String name, Object obj)
648 throws CertificateException, IOException {
649 // check if immutable
650 if (readOnly)
651 throw new CertificateException("cannot over-write existing"
652 + " certificate");
653
654 X509AttributeName attr = new X509AttributeName(name);
655 String id = attr.getPrefix();
656 if (!(id.equalsIgnoreCase(NAME))) {
657 throw new CertificateException("Invalid root of attribute name,"
658 + " expected [" + NAME + "], received " + id);
659 }
660 attr = new X509AttributeName(attr.getSuffix());
661 id = attr.getPrefix();
662
663 if (id.equalsIgnoreCase(INFO)) {
664 if (attr.getSuffix() == null) {
665 if (!(obj instanceof X509CertInfo)) {
666 throw new CertificateException("Attribute value should"
667 + " be of type X509CertInfo.");
668 }
669 info = (X509CertInfo)obj;
670 signedCert = null; //reset this as certificate data has changed
671 } else {
672 info.set(attr.getSuffix(), obj);
673 signedCert = null; //reset this as certificate data has changed
674 }
675 } else {
676 throw new CertificateException("Attribute name not recognized or " +
677 "set() not allowed for the same: " + id);
678 }
679 }
680
681 /**
682 * Delete the requested attribute from the certificate.
683 *
684 * @param name the name of the attribute.
685 * @exception CertificateException on invalid attribute identifier.
686 * @exception IOException on other errors.
687 */
688 public void delete(String name)
689 throws CertificateException, IOException {
690 // check if immutable
691 if (readOnly)
692 throw new CertificateException("cannot over-write existing"
693 + " certificate");
694
695 X509AttributeName attr = new X509AttributeName(name);
696 String id = attr.getPrefix();
697 if (!(id.equalsIgnoreCase(NAME))) {
698 throw new CertificateException("Invalid root of attribute name,"
699 + " expected ["
700 + NAME + "], received " + id);
701 }
702 attr = new X509AttributeName(attr.getSuffix());
703 id = attr.getPrefix();
704
705 if (id.equalsIgnoreCase(INFO)) {
706 if (attr.getSuffix() != null) {
707 info = null;
708 } else {
709 info.delete(attr.getSuffix());
710 }
711 } else if (id.equalsIgnoreCase(ALG_ID)) {
712 algId = null;
713 } else if (id.equalsIgnoreCase(SIGNATURE)) {
714 signature = null;
715 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
716 signedCert = null;
717 } else {
718 throw new CertificateException("Attribute name not recognized or " +
719 "delete() not allowed for the same: " + id);
720 }
721 }
722
723 /**
724 * Return an enumeration of names of attributes existing within this
725 * attribute.
726 */
727 public Enumeration<String> getElements() {
728 AttributeNameEnumeration elements = new AttributeNameEnumeration();
729 elements.addElement(NAME + DOT + INFO);
730 elements.addElement(NAME + DOT + ALG_ID);
731 elements.addElement(NAME + DOT + SIGNATURE);
732 elements.addElement(NAME + DOT + SIGNED_CERT);
733
734 return elements.elements();
735 }
736
737 /**
738 * Return the name of this attribute.
739 */
740 public String getName() {
741 return(NAME);
742 }
743
744 /**
745 * Returns a printable representation of the certificate. This does not
746 * contain all the information available to distinguish this from any
747 * other certificate. The certificate must be fully constructed
748 * before this function may be called.
749 */
750 public String toString() {
751 if (info == null || algId == null || signature == null)
752 return "";
753
754 StringBuilder sb = new StringBuilder();
755
756 sb.append("[\n");
757 sb.append(info.toString() + "\n");
758 sb.append(" Algorithm: [" + algId.toString() + "]\n");
759
760 HexDumpEncoder encoder = new HexDumpEncoder();
761 sb.append(" Signature:\n" + encoder.encodeBuffer(signature));
762 sb.append("\n]");
763
764 return sb.toString();
765 }
766
767 // the strongly typed gets, as per java.security.cert.X509Certificate
768
769 /**
770 * Gets the publickey from this certificate.
771 *
772 * @return the publickey.
773 */
774 public PublicKey getPublicKey() {
775 if (info == null)
776 return null;
777 try {
778 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
779 + DOT + CertificateX509Key.KEY);
780 return key;
781 } catch (Exception e) {
782 return null;
783 }
784 }
785
786 /**
787 * Gets the version number from the certificate.
788 *
789 * @return the version number, i.e. 1, 2 or 3.
790 */
791 public int getVersion() {
792 if (info == null)
793 return -1;
794 try {
795 int vers = ((Integer)info.get(CertificateVersion.NAME
796 + DOT + CertificateVersion.VERSION)).intValue();
797 return vers+1;
798 } catch (Exception e) {
799 return -1;
800 }
801 }
802
803 /**
804 * Gets the serial number from the certificate.
805 *
806 * @return the serial number.
807 */
808 public BigInteger getSerialNumber() {
809 SerialNumber ser = getSerialNumberObject();
810
811 return ser != null ? ser.getNumber() : null;
812 }
813
814 /**
815 * Gets the serial number from the certificate as
816 * a SerialNumber object.
817 *
818 * @return the serial number.
819 */
820 public SerialNumber getSerialNumberObject() {
821 if (info == null)
822 return null;
823 try {
824 SerialNumber ser = (SerialNumber)info.get(
825 CertificateSerialNumber.NAME + DOT +
826 CertificateSerialNumber.NUMBER);
827 return ser;
828 } catch (Exception e) {
829 return null;
830 }
831 }
832
833
834 /**
835 * Gets the subject distinguished name from the certificate.
836 *
837 * @return the subject name.
838 */
839 public Principal getSubjectDN() {
840 if (info == null)
841 return null;
842 try {
843 Principal subject = (Principal)info.get(
844 CertificateSubjectName.NAME + DOT +
845 CertificateSubjectName.DN_NAME);
846 return subject;
847 } catch (Exception e) {
848 return null;
849 }
850 }
851
852 /**
853 * Get subject name as X500Principal. Overrides implementation in
854 * X509Certificate with a slightly more efficient version that is
855 * also aware of X509CertImpl mutability.
856 */
857 public X500Principal getSubjectX500Principal() {
858 if (info == null) {
859 return null;
860 }
861 try {
862 X500Principal subject = (X500Principal)info.get(
863 CertificateSubjectName.NAME + DOT +
864 CertificateSubjectName.DN_PRINCIPAL);
865 return subject;
866 } catch (Exception e) {
867 return null;
868 }
869 }
870
871 /**
872 * Gets the issuer distinguished name from the certificate.
873 *
874 * @return the issuer name.
875 */
876 public Principal getIssuerDN() {
877 if (info == null)
878 return null;
879 try {
880 Principal issuer = (Principal)info.get(
881 CertificateIssuerName.NAME + DOT +
882 CertificateIssuerName.DN_NAME);
883 return issuer;
884 } catch (Exception e) {
885 return null;
886 }
887 }
888
889 /**
890 * Get issuer name as X500Principal. Overrides implementation in
891 * X509Certificate with a slightly more efficient version that is
892 * also aware of X509CertImpl mutability.
893 */
894 public X500Principal getIssuerX500Principal() {
895 if (info == null) {
896 return null;
897 }
898 try {
899 X500Principal issuer = (X500Principal)info.get(
900 CertificateIssuerName.NAME + DOT +
901 CertificateIssuerName.DN_PRINCIPAL);
902 return issuer;
903 } catch (Exception e) {
904 return null;
905 }
906 }
907
908 /**
909 * Gets the notBefore date from the validity period of the certificate.
910 *
911 * @return the start date of the validity period.
912 */
913 public Date getNotBefore() {
914 if (info == null)
915 return null;
916 try {
917 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
918 CertificateValidity.NOT_BEFORE);
919 return d;
920 } catch (Exception e) {
921 return null;
922 }
923 }
924
925 /**
926 * Gets the notAfter date from the validity period of the certificate.
927 *
928 * @return the end date of the validity period.
929 */
930 public Date getNotAfter() {
931 if (info == null)
932 return null;
933 try {
934 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
935 CertificateValidity.NOT_AFTER);
936 return d;
937 } catch (Exception e) {
938 return null;
939 }
940 }
941
942 /**
943 * Gets the DER encoded certificate informations, the
944 * <code>tbsCertificate</code> from this certificate.
945 * This can be used to verify the signature independently.
946 *
947 * @return the DER encoded certificate information.
948 * @exception CertificateEncodingException if an encoding error occurs.
949 */
950 public byte[] getTBSCertificate() throws CertificateEncodingException {
951 if (info != null) {
952 return info.getEncodedInfo();
953 } else
954 throw new CertificateEncodingException("Uninitialized certificate");
955 }
956
957 /**
958 * Gets the raw Signature bits from the certificate.
959 *
960 * @return the signature.
961 */
962 public byte[] getSignature() {
963 if (signature == null)
964 return null;
965 byte[] dup = new byte[signature.length];
966 System.arraycopy(signature, 0, dup, 0, dup.length);
967 return dup;
968 }
969
970 /**
971 * Gets the signature algorithm name for the certificate
972 * signature algorithm.
973 * For example, the string "SHA-1/DSA" or "DSS".
974 *
975 * @return the signature algorithm name.
976 */
977 public String getSigAlgName() {
978 if (algId == null)
979 return null;
980 return (algId.getName());
981 }
982
983 /**
984 * Gets the signature algorithm OID string from the certificate.
985 * For example, the string "1.2.840.10040.4.3"
986 *
987 * @return the signature algorithm oid string.
988 */
989 public String getSigAlgOID() {
990 if (algId == null)
991 return null;
992 ObjectIdentifier oid = algId.getOID();
993 return (oid.toString());
994 }
995
996 /**
997 * Gets the DER encoded signature algorithm parameters from this
998 * certificate's signature algorithm.
999 *
1000 * @return the DER encoded signature algorithm parameters, or
1001 * null if no parameters are present.
1002 */
1003 public byte[] getSigAlgParams() {
1004 if (algId == null)
1005 return null;
1006 try {
1007 return algId.getEncodedParams();
1008 } catch (IOException e) {
1009 return null;
1010 }
1011 }
1012
1013 /**
1014 * Gets the Issuer Unique Identity from the certificate.
1015 *
1016 * @return the Issuer Unique Identity.
1017 */
1018 public boolean[] getIssuerUniqueID() {
1019 if (info == null)
1020 return null;
1021 try {
1022 UniqueIdentity id = (UniqueIdentity)info.get(
1023 CertificateIssuerUniqueIdentity.NAME
1024 + DOT + CertificateIssuerUniqueIdentity.ID);
1025 if (id == null)
1026 return null;
1027 else
1028 return (id.getId());
1029 } catch (Exception e) {
1030 return null;
1031 }
1032 }
1033
1034 /**
1035 * Gets the Subject Unique Identity from the certificate.
1036 *
1037 * @return the Subject Unique Identity.
1038 */
1039 public boolean[] getSubjectUniqueID() {
1040 if (info == null)
1041 return null;
1042 try {
1043 UniqueIdentity id = (UniqueIdentity)info.get(
1044 CertificateSubjectUniqueIdentity.NAME
1045 + DOT + CertificateSubjectUniqueIdentity.ID);
1046 if (id == null)
1047 return null;
1048 else
1049 return (id.getId());
1050 } catch (Exception e) {
1051 return null;
1052 }
1053 }
1054
1055 /**
1056 * Get AuthorityKeyIdentifier extension
1057 * @return AuthorityKeyIdentifier object or null (if no such object
1058 * in certificate)
1059 */
1060 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
1061 {
1062 return (AuthorityKeyIdentifierExtension)
1063 getExtension(PKIXExtensions.AuthorityKey_Id);
1064 }
1065
1066 /**
1067 * Return the issuing authority's key identifier bytes, or null
1068 */
1069 public byte[] getIssuerKeyIdentifier()
1070 {
1071 if (issuerKeyId == null) {
1072 AuthorityKeyIdentifierExtension aki =
1073 getAuthorityKeyIdentifierExtension();
1074 if (aki != null) {
1075
1076 try {
1077 issuerKeyId = ((KeyIdentifier)
1078 aki.get(AuthorityKeyIdentifierExtension.KEY_ID))
1079 .getIdentifier();
1080 } catch (IOException e) {
1081 // should never happen (because KEY_ID attr is supported)
1082 }
1083
1084 } else {
1085 issuerKeyId = new byte[0]; // no AKID present
1086 }
1087 }
1088
1089 return issuerKeyId.length != 0 ? issuerKeyId : null;
1090 }
1091
1092 /**
1093 * Get BasicConstraints extension
1094 * @return BasicConstraints object or null (if no such object in
1095 * certificate)
1096 */
1097 public BasicConstraintsExtension getBasicConstraintsExtension() {
1098 return (BasicConstraintsExtension)
1099 getExtension(PKIXExtensions.BasicConstraints_Id);
1100 }
1101
1102 /**
1103 * Get CertificatePoliciesExtension
1104 * @return CertificatePoliciesExtension or null (if no such object in
1105 * certificate)
1106 */
1107 public CertificatePoliciesExtension getCertificatePoliciesExtension() {
1108 return (CertificatePoliciesExtension)
1109 getExtension(PKIXExtensions.CertificatePolicies_Id);
1110 }
1111
1112 /**
1113 * Get ExtendedKeyUsage extension
1114 * @return ExtendedKeyUsage extension object or null (if no such object
1115 * in certificate)
1116 */
1117 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
1118 return (ExtendedKeyUsageExtension)
1119 getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
1120 }
1121
1122 /**
1123 * Get IssuerAlternativeName extension
1124 * @return IssuerAlternativeName object or null (if no such object in
1125 * certificate)
1126 */
1127 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
1128 return (IssuerAlternativeNameExtension)
1129 getExtension(PKIXExtensions.IssuerAlternativeName_Id);
1130 }
1131
1132 /**
1133 * Get NameConstraints extension
1134 * @return NameConstraints object or null (if no such object in certificate)
1135 */
1136 public NameConstraintsExtension getNameConstraintsExtension() {
1137 return (NameConstraintsExtension)
1138 getExtension(PKIXExtensions.NameConstraints_Id);
1139 }
1140
1141 /**
1142 * Get PolicyConstraints extension
1143 * @return PolicyConstraints object or null (if no such object in
1144 * certificate)
1145 */
1146 public PolicyConstraintsExtension getPolicyConstraintsExtension() {
1147 return (PolicyConstraintsExtension)
1148 getExtension(PKIXExtensions.PolicyConstraints_Id);
1149 }
1150
1151 /**
1152 * Get PolicyMappingsExtension extension
1153 * @return PolicyMappingsExtension object or null (if no such object
1154 * in certificate)
1155 */
1156 public PolicyMappingsExtension getPolicyMappingsExtension() {
1157 return (PolicyMappingsExtension)
1158 getExtension(PKIXExtensions.PolicyMappings_Id);
1159 }
1160
1161 /**
1162 * Get PrivateKeyUsage extension
1163 * @return PrivateKeyUsage object or null (if no such object in certificate)
1164 */
1165 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
1166 return (PrivateKeyUsageExtension)
1167 getExtension(PKIXExtensions.PrivateKeyUsage_Id);
1168 }
1169
1170 /**
1171 * Get SubjectAlternativeName extension
1172 * @return SubjectAlternativeName object or null (if no such object in
1173 * certificate)
1174 */
1175 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
1176 {
1177 return (SubjectAlternativeNameExtension)
1178 getExtension(PKIXExtensions.SubjectAlternativeName_Id);
1179 }
1180
1181 /**
1182 * Get SubjectKeyIdentifier extension
1183 * @return SubjectKeyIdentifier object or null (if no such object in
1184 * certificate)
1185 */
1186 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
1187 return (SubjectKeyIdentifierExtension)
1188 getExtension(PKIXExtensions.SubjectKey_Id);
1189 }
1190
1191 /**
1192 * Returns the subject's key identifier bytes, or null
1193 */
1194 public byte[] getSubjectKeyIdentifier()
1195 {
1196 if (subjectKeyId == null) {
1197 SubjectKeyIdentifierExtension ski =
1198 getSubjectKeyIdentifierExtension();
1199 if (ski != null) {
1200
1201 try {
1202 subjectKeyId = ((KeyIdentifier)
1203 ski.get(SubjectKeyIdentifierExtension.KEY_ID))
1204 .getIdentifier();
1205 } catch (IOException e) {
1206 // should never happen (because KEY_ID attr is supported)
1207 }
1208
1209 } else {
1210 subjectKeyId = new byte[0]; // no SKID present
1211 }
1212 }
1213
1214 return subjectKeyId.length != 0 ? subjectKeyId : null;
1215 }
1216
1217 /**
1218 * Get CRLDistributionPoints extension
1219 * @return CRLDistributionPoints object or null (if no such object in
1220 * certificate)
1221 */
1222 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
1223 return (CRLDistributionPointsExtension)
1224 getExtension(PKIXExtensions.CRLDistributionPoints_Id);
1225 }
1226
1227 /**
1228 * Return true if a critical extension is found that is
1229 * not supported, otherwise return false.
1230 */
1231 public boolean hasUnsupportedCriticalExtension() {
1232 if (info == null)
1233 return false;
1234 try {
1235 CertificateExtensions exts = (CertificateExtensions)info.get(
1236 CertificateExtensions.NAME);
1237 if (exts == null)
1238 return false;
1239 return exts.hasUnsupportedCriticalExtension();
1240 } catch (Exception e) {
1241 return false;
1242 }
1243 }
1244
1245 /**
1246 * Gets a Set of the extension(s) marked CRITICAL in the
1247 * certificate. In the returned set, each extension is
1248 * represented by its OID string.
1249 *
1250 * @return a set of the extension oid strings in the
1251 * certificate that are marked critical.
1252 */
1253 public Set<String> getCriticalExtensionOIDs() {
1254 if (info == null) {
1255 return null;
1256 }
1257 try {
1258 CertificateExtensions exts = (CertificateExtensions)info.get(
1259 CertificateExtensions.NAME);
1260 if (exts == null) {
1261 return null;
1262 }
1263 Set<String> extSet = new TreeSet<>();
1264 for (Extension ex : exts.getAllExtensions()) {
1265 if (ex.isCritical()) {
1266 extSet.add(ex.getExtensionId().toString());
1267 }
1268 }
1269 return extSet;
1270 } catch (Exception e) {
1271 return null;
1272 }
1273 }
1274
1275 /**
1276 * Gets a Set of the extension(s) marked NON-CRITICAL in the
1277 * certificate. In the returned set, each extension is
1278 * represented by its OID string.
1279 *
1280 * @return a set of the extension oid strings in the
1281 * certificate that are NOT marked critical.
1282 */
1283 public Set<String> getNonCriticalExtensionOIDs() {
1284 if (info == null) {
1285 return null;
1286 }
1287 try {
1288 CertificateExtensions exts = (CertificateExtensions)info.get(
1289 CertificateExtensions.NAME);
1290 if (exts == null) {
1291 return null;
1292 }
1293 Set<String> extSet = new TreeSet<>();
1294 for (Extension ex : exts.getAllExtensions()) {
1295 if (!ex.isCritical()) {
1296 extSet.add(ex.getExtensionId().toString());
1297 }
1298 }
1299 extSet.addAll(exts.getUnparseableExtensions().keySet());
1300 return extSet;
1301 } catch (Exception e) {
1302 return null;
1303 }
1304 }
1305
1306 /**
1307 * Gets the extension identified by the given ObjectIdentifier
1308 *
1309 * @param oid the Object Identifier value for the extension.
1310 * @return Extension or null if certificate does not contain this
1311 * extension
1312 */
1313 public Extension getExtension(ObjectIdentifier oid) {
1314 if (info == null) {
1315 return null;
1316 }
1317 try {
1318 CertificateExtensions extensions;
1319 try {
1320 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1321 } catch (CertificateException ce) {
1322 return null;
1323 }
1324 if (extensions == null) {
1325 return null;
1326 } else {
1327 Extension ex = extensions.getExtension(oid.toString());
1328 if (ex != null) {
1329 return ex;
1330 }
1331 for (Extension ex2: extensions.getAllExtensions()) {
1332 if (ex2.getExtensionId().equals((Object)oid)) {
1333 //XXXX May want to consider cloning this
1334 return ex2;
1335 }
1336 }
1337 /* no such extension in this certificate */
1338 return null;
1339 }
1340 } catch (IOException ioe) {
1341 return null;
1342 }
1343 }
1344
1345 public Extension getUnparseableExtension(ObjectIdentifier oid) {
1346 if (info == null) {
1347 return null;
1348 }
1349 try {
1350 CertificateExtensions extensions;
1351 try {
1352 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1353 } catch (CertificateException ce) {
1354 return null;
1355 }
1356 if (extensions == null) {
1357 return null;
1358 } else {
1359 return extensions.getUnparseableExtensions().get(oid.toString());
1360 }
1361 } catch (IOException ioe) {
1362 return null;
1363 }
1364 }
1365
1366 /**
1367 * Gets the DER encoded extension identified by the given
1368 * oid String.
1369 *
1370 * @param oid the Object Identifier value for the extension.
1371 */
1372 public byte[] getExtensionValue(String oid) {
1373 try {
1374 ObjectIdentifier findOID = new ObjectIdentifier(oid);
1375 String extAlias = OIDMap.getName(findOID);
1376 Extension certExt = null;
1377 CertificateExtensions exts = (CertificateExtensions)info.get(
1378 CertificateExtensions.NAME);
1379
1380 if (extAlias == null) { // may be unknown
1381 // get the extensions, search thru' for this oid
1382 if (exts == null) {
1383 return null;
1384 }
1385
1386 for (Extension ex : exts.getAllExtensions()) {
1387 ObjectIdentifier inCertOID = ex.getExtensionId();
1388 if (inCertOID.equals((Object)findOID)) {
1389 certExt = ex;
1390 break;
1391 }
1392 }
1393 } else { // there's sub-class that can handle this extension
1394 try {
1395 certExt = (Extension)this.get(extAlias);
1396 } catch (CertificateException e) {
1397 // get() throws an Exception instead of returning null, ignore
1398 }
1399 }
1400 if (certExt == null) {
1401 if (exts != null) {
1402 certExt = exts.getUnparseableExtensions().get(oid);
1403 }
1404 if (certExt == null) {
1405 return null;
1406 }
1407 }
1408 byte[] extData = certExt.getExtensionValue();
1409 if (extData == null) {
1410 return null;
1411 }
1412 DerOutputStream out = new DerOutputStream();
1413 out.putOctetString(extData);
1414 return out.toByteArray();
1415 } catch (Exception e) {
1416 return null;
1417 }
1418 }
1419
1420 /**
1421 * Get a boolean array representing the bits of the KeyUsage extension,
1422 * (oid = 2.5.29.15).
1423 * @return the bit values of this extension as an array of booleans.
1424 */
1425 public boolean[] getKeyUsage() {
1426 try {
1427 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
1428 if (extAlias == null)
1429 return null;
1430
1431 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
1432 if (certExt == null)
1433 return null;
1434
1435 boolean[] ret = certExt.getBits();
1436 if (ret.length < NUM_STANDARD_KEY_USAGE) {
1437 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
1438 System.arraycopy(ret, 0, usageBits, 0, ret.length);
1439 ret = usageBits;
1440 }
1441 return ret;
1442 } catch (Exception e) {
1443 return null;
1444 }
1445 }
1446
1447 /**
1448 * This method are the overridden implementation of
1449 * getExtendedKeyUsage method in X509Certificate in the Sun
1450 * provider. It is better performance-wise since it returns cached
1451 * values.
1452 */
1453 public synchronized List<String> getExtendedKeyUsage()
1454 throws CertificateParsingException {
1455 if (readOnly && extKeyUsage != null) {
1456 return extKeyUsage;
1457 } else {
1458 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
1459 if (ext == null) {
1460 return null;
1461 }
1462 extKeyUsage =
1463 Collections.unmodifiableList(ext.getExtendedKeyUsage());
1464 return extKeyUsage;
1465 }
1466 }
1467
1468 /**
1469 * This static method is the default implementation of the
1470 * getExtendedKeyUsage method in X509Certificate. A
1471 * X509Certificate provider generally should overwrite this to
1472 * provide among other things caching for better performance.
1473 */
1474 public static List<String> getExtendedKeyUsage(X509Certificate cert)
1475 throws CertificateParsingException {
1476 try {
1477 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID);
1478 if (ext == null)
1479 return null;
1480 DerValue val = new DerValue(ext);
1481 byte[] data = val.getOctetString();
1482
1483 ExtendedKeyUsageExtension ekuExt =
1484 new ExtendedKeyUsageExtension(Boolean.FALSE, data);
1485 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
1486 } catch (IOException ioe) {
1487 throw new CertificateParsingException(ioe);
1488 }
1489 }
1490
1491 /**
1492 * Get the certificate constraints path length from the
1493 * the critical BasicConstraints extension, (oid = 2.5.29.19).
1494 * @return the length of the constraint.
1495 */
1496 public int getBasicConstraints() {
1497 try {
1498 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
1499 if (extAlias == null)
1500 return -1;
1501 BasicConstraintsExtension certExt =
1502 (BasicConstraintsExtension)this.get(extAlias);
1503 if (certExt == null)
1504 return -1;
1505
1506 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
1507 ).booleanValue() == true)
1508 return ((Integer)certExt.get(
1509 BasicConstraintsExtension.PATH_LEN)).intValue();
1510 else
1511 return -1;
1512 } catch (Exception e) {
1513 return -1;
1514 }
1515 }
1516
1517 /**
1518 * Converts a GeneralNames structure into an immutable Collection of
1519 * alternative names (subject or issuer) in the form required by
1520 * {@link #getSubjectAlternativeNames} or
1521 * {@link #getIssuerAlternativeNames}.
1522 *
1523 * @param names the GeneralNames to be converted
1524 * @return an immutable Collection of alternative names
1525 */
1526 private static Collection<List<?>> makeAltNames(GeneralNames names) {
1527 if (names.isEmpty()) {
1528 return Collections.<List<?>>emptySet();
1529 }
1530 List<List<?>> newNames = new ArrayList<>();
1531 for (GeneralName gname : names.names()) {
1532 GeneralNameInterface name = gname.getName();
1533 List<Object> nameEntry = new ArrayList<>(2);
1534 nameEntry.add(Integer.valueOf(name.getType()));
1535 switch (name.getType()) {
1536 case GeneralNameInterface.NAME_RFC822:
1537 nameEntry.add(((RFC822Name) name).getName());
1538 break;
1539 case GeneralNameInterface.NAME_DNS:
1540 nameEntry.add(((DNSName) name).getName());
1541 break;
1542 case GeneralNameInterface.NAME_DIRECTORY:
1543 nameEntry.add(((X500Name) name).getRFC2253Name());
1544 break;
1545 case GeneralNameInterface.NAME_URI:
1546 nameEntry.add(((URIName) name).getName());
1547 break;
1548 case GeneralNameInterface.NAME_IP:
1549 try {
1550 nameEntry.add(((IPAddressName) name).getName());
1551 } catch (IOException ioe) {
1552 // IPAddressName in cert is bogus
1553 throw new RuntimeException("IPAddress cannot be parsed",
1554 ioe);
1555 }
1556 break;
1557 case GeneralNameInterface.NAME_OID:
1558 nameEntry.add(((OIDName) name).getOID().toString());
1559 break;
1560 default:
1561 // add DER encoded form
1562 DerOutputStream derOut = new DerOutputStream();
1563 try {
1564 name.encode(derOut);
1565 } catch (IOException ioe) {
1566 // should not occur since name has already been decoded
1567 // from cert (this would indicate a bug in our code)
1568 throw new RuntimeException("name cannot be encoded", ioe);
1569 }
1570 nameEntry.add(derOut.toByteArray());
1571 break;
1572 }
1573 newNames.add(Collections.unmodifiableList(nameEntry));
1574 }
1575 return Collections.unmodifiableCollection(newNames);
1576 }
1577
1578 /**
1579 * Checks a Collection of altNames and clones any name entries of type
1580 * byte [].
1581 */ // only partially generified due to javac bug
1582 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
1583 boolean mustClone = false;
1584 for (List<?> nameEntry : altNames) {
1585 if (nameEntry.get(1) instanceof byte[]) {
1586 // must clone names
1587 mustClone = true;
1588 }
1589 }
1590 if (mustClone) {
1591 List<List<?>> namesCopy = new ArrayList<>();
1592 for (List<?> nameEntry : altNames) {
1593 Object nameObject = nameEntry.get(1);
1594 if (nameObject instanceof byte[]) {
1595 List<Object> nameEntryCopy =
1596 new ArrayList<>(nameEntry);
1597 nameEntryCopy.set(1, ((byte[])nameObject).clone());
1598 namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
1599 } else {
1600 namesCopy.add(nameEntry);
1601 }
1602 }
1603 return Collections.unmodifiableCollection(namesCopy);
1604 } else {
1605 return altNames;
1606 }
1607 }
1608
1609 /**
1610 * This method are the overridden implementation of
1611 * getSubjectAlternativeNames method in X509Certificate in the Sun
1612 * provider. It is better performance-wise since it returns cached
1613 * values.
1614 */
1615 public synchronized Collection<List<?>> getSubjectAlternativeNames()
1616 throws CertificateParsingException {
1617 // return cached value if we can
1618 if (readOnly && subjectAlternativeNames != null) {
1619 return cloneAltNames(subjectAlternativeNames);
1620 }
1621 SubjectAlternativeNameExtension subjectAltNameExt =
1622 getSubjectAlternativeNameExtension();
1623 if (subjectAltNameExt == null) {
1624 return null;
1625 }
1626 GeneralNames names;
1627 try {
1628 names = (GeneralNames) subjectAltNameExt.get(
1629 SubjectAlternativeNameExtension.SUBJECT_NAME);
1630 } catch (IOException ioe) {
1631 // should not occur
1632 return Collections.<List<?>>emptySet();
1633 }
1634 subjectAlternativeNames = makeAltNames(names);
1635 return subjectAlternativeNames;
1636 }
1637
1638 /**
1639 * This static method is the default implementation of the
1640 * getSubjectAlternaitveNames method in X509Certificate. A
1641 * X509Certificate provider generally should overwrite this to
1642 * provide among other things caching for better performance.
1643 */
1644 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
1645 throws CertificateParsingException {
1646 try {
1647 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID);
1648 if (ext == null) {
1649 return null;
1650 }
1651 DerValue val = new DerValue(ext);
1652 byte[] data = val.getOctetString();
1653
1654 SubjectAlternativeNameExtension subjectAltNameExt =
1655 new SubjectAlternativeNameExtension(Boolean.FALSE,
1656 data);
1657
1658 GeneralNames names;
1659 try {
1660 names = (GeneralNames) subjectAltNameExt.get(
1661 SubjectAlternativeNameExtension.SUBJECT_NAME);
1662 } catch (IOException ioe) {
1663 // should not occur
1664 return Collections.<List<?>>emptySet();
1665 }
1666 return makeAltNames(names);
1667 } catch (IOException ioe) {
1668 throw new CertificateParsingException(ioe);
1669 }
1670 }
1671
1672 /**
1673 * This method are the overridden implementation of
1674 * getIssuerAlternativeNames method in X509Certificate in the Sun
1675 * provider. It is better performance-wise since it returns cached
1676 * values.
1677 */
1678 public synchronized Collection<List<?>> getIssuerAlternativeNames()
1679 throws CertificateParsingException {
1680 // return cached value if we can
1681 if (readOnly && issuerAlternativeNames != null) {
1682 return cloneAltNames(issuerAlternativeNames);
1683 }
1684 IssuerAlternativeNameExtension issuerAltNameExt =
1685 getIssuerAlternativeNameExtension();
1686 if (issuerAltNameExt == null) {
1687 return null;
1688 }
1689 GeneralNames names;
1690 try {
1691 names = (GeneralNames) issuerAltNameExt.get(
1692 IssuerAlternativeNameExtension.ISSUER_NAME);
1693 } catch (IOException ioe) {
1694 // should not occur
1695 return Collections.<List<?>>emptySet();
1696 }
1697 issuerAlternativeNames = makeAltNames(names);
1698 return issuerAlternativeNames;
1699 }
1700
1701 /**
1702 * This static method is the default implementation of the
1703 * getIssuerAlternaitveNames method in X509Certificate. A
1704 * X509Certificate provider generally should overwrite this to
1705 * provide among other things caching for better performance.
1706 */
1707 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
1708 throws CertificateParsingException {
1709 try {
1710 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID);
1711 if (ext == null) {
1712 return null;
1713 }
1714
1715 DerValue val = new DerValue(ext);
1716 byte[] data = val.getOctetString();
1717
1718 IssuerAlternativeNameExtension issuerAltNameExt =
1719 new IssuerAlternativeNameExtension(Boolean.FALSE,
1720 data);
1721 GeneralNames names;
1722 try {
1723 names = (GeneralNames) issuerAltNameExt.get(
1724 IssuerAlternativeNameExtension.ISSUER_NAME);
1725 } catch (IOException ioe) {
1726 // should not occur
1727 return Collections.<List<?>>emptySet();
1728 }
1729 return makeAltNames(names);
1730 } catch (IOException ioe) {
1731 throw new CertificateParsingException(ioe);
1732 }
1733 }
1734
1735 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
1736 return (AuthorityInfoAccessExtension)
1737 getExtension(PKIXExtensions.AuthInfoAccess_Id);
1738 }
1739
1740 /************************************************************/
1741
1742 /*
1743 * Cert is a SIGNED ASN.1 macro, a three elment sequence:
1744 *
1745 * - Data to be signed (ToBeSigned) -- the "raw" cert
1746 * - Signature algorithm (SigAlgId)
1747 * - The signature bits
1748 *
1749 * This routine unmarshals the certificate, saving the signature
1750 * parts away for later verification.
1751 */
1752 private void parse(DerValue val)
1753 throws CertificateException, IOException {
1754 // check if can over write the certificate
1755 if (readOnly)
1756 throw new CertificateParsingException(
1757 "cannot over-write existing certificate");
1758
1759 if (val.data == null || val.tag != DerValue.tag_Sequence)
1760 throw new CertificateParsingException(
1761 "invalid DER-encoded certificate data");
1762
1763 signedCert = val.toByteArray();
1764 DerValue[] seq = new DerValue[3];
1765
1766 seq[0] = val.data.getDerValue();
1767 seq[1] = val.data.getDerValue();
1768 seq[2] = val.data.getDerValue();
1769
1770 if (val.data.available() != 0) {
1771 throw new CertificateParsingException("signed overrun, bytes = "
1772 + val.data.available());
1773 }
1774 if (seq[0].tag != DerValue.tag_Sequence) {
1775 throw new CertificateParsingException("signed fields invalid");
1776 }
1777
1778 algId = AlgorithmId.parse(seq[1]);
1779 signature = seq[2].getBitString();
1780
1781 if (seq[1].data.available() != 0) {
1782 throw new CertificateParsingException("algid field overrun");
1783 }
1784 if (seq[2].data.available() != 0)
1785 throw new CertificateParsingException("signed fields overrun");
1786
1787 // The CertificateInfo
1788 info = new X509CertInfo(seq[0]);
1789
1790 // the "inner" and "outer" signature algorithms must match
1791 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1792 CertificateAlgorithmId.NAME
1793 + DOT +
1794 CertificateAlgorithmId.ALGORITHM);
1795 if (! algId.equals(infoSigAlg))
1796 throw new CertificateException("Signature algorithm mismatch");
1797 readOnly = true;
1798 }
1799
1800 /**
1801 * Extract the subject or issuer X500Principal from an X509Certificate.
1802 * Parses the encoded form of the cert to preserve the principal's
1803 * ASN.1 encoding.
1804 */
1805 private static X500Principal getX500Principal(X509Certificate cert,
1806 boolean getIssuer) throws Exception {
1807 byte[] encoded = cert.getEncoded();
1808 DerInputStream derIn = new DerInputStream(encoded);
1809 DerValue tbsCert = derIn.getSequence(3)[0];
1810 DerInputStream tbsIn = tbsCert.data;
1811 DerValue tmp;
1812 tmp = tbsIn.getDerValue();
1813 // skip version number if present
1814 if (tmp.isContextSpecific((byte)0)) {
1815 tmp = tbsIn.getDerValue();
1816 }
1817 // tmp always contains serial number now
1818 tmp = tbsIn.getDerValue(); // skip signature
1819 tmp = tbsIn.getDerValue(); // issuer
1820 if (getIssuer == false) {
1821 tmp = tbsIn.getDerValue(); // skip validity
1822 tmp = tbsIn.getDerValue(); // subject
1823 }
1824 byte[] principalBytes = tmp.toByteArray();
1825 return new X500Principal(principalBytes);
1826 }
1827
1828 /**
1829 * Extract the subject X500Principal from an X509Certificate.
1830 * Called from java.security.cert.X509Certificate.getSubjectX500Principal().
1831 */
1832 public static X500Principal getSubjectX500Principal(X509Certificate cert) {
1833 try {
1834 return getX500Principal(cert, false);
1835 } catch (Exception e) {
1836 throw new RuntimeException("Could not parse subject", e);
1837 }
1838 }
1839
1840 /**
1841 * Extract the issuer X500Principal from an X509Certificate.
1842 * Called from java.security.cert.X509Certificate.getIssuerX500Principal().
1843 */
1844 public static X500Principal getIssuerX500Principal(X509Certificate cert) {
1845 try {
1846 return getX500Principal(cert, true);
1847 } catch (Exception e) {
1848 throw new RuntimeException("Could not parse issuer", e);
1849 }
1850 }
1851
1852 /**
1853 * Returned the encoding of the given certificate for internal use.
1854 * Callers must guarantee that they neither modify it nor expose it
1855 * to untrusted code. Uses getEncodedInternal() if the certificate
1856 * is instance of X509CertImpl, getEncoded() otherwise.
1857 */
1858 public static byte[] getEncodedInternal(Certificate cert)
1859 throws CertificateEncodingException {
1860 if (cert instanceof X509CertImpl) {
1861 return ((X509CertImpl)cert).getEncodedInternal();
1862 } else {
1863 return cert.getEncoded();
1864 }
1865 }
1866
1867 /**
1868 * Utility method to convert an arbitrary instance of X509Certificate
1869 * to a X509CertImpl. Does a cast if possible, otherwise reparses
1870 * the encoding.
1871 */
1872 public static X509CertImpl toImpl(X509Certificate cert)
1873 throws CertificateException {
1874 if (cert instanceof X509CertImpl) {
1875 return (X509CertImpl)cert;
1876 } else {
1877 return X509Factory.intern(cert);
1878 }
1879 }
1880
1881 /**
1882 * Utility method to test if a certificate is self-issued. This is
1883 * the case iff the subject and issuer X500Principals are equal.
1884 */
1885 public static boolean isSelfIssued(X509Certificate cert) {
1886 X500Principal subject = cert.getSubjectX500Principal();
1887 X500Principal issuer = cert.getIssuerX500Principal();
1888 return subject.equals(issuer);
1889 }
1890
1891 /**
1892 * Utility method to test if a certificate is self-signed. This is
1893 * the case iff the subject and issuer X500Principals are equal
1894 * AND the certificate's subject public key can be used to verify
1895 * the certificate. In case of exception, returns false.
1896 */
1897 public static boolean isSelfSigned(X509Certificate cert,
1898 String sigProvider) {
1899 if (isSelfIssued(cert)) {
1900 try {
1901 if (sigProvider == null) {
1902 cert.verify(cert.getPublicKey());
1903 } else {
1904 cert.verify(cert.getPublicKey(), sigProvider);
1905 }
1906 return true;
1907 } catch (Exception e) {
1908 // In case of exception, return false
1909 }
1910 }
1911 return false;
1912 }
1913 }