1 /* 2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.BufferedReader; 29 import java.io.BufferedInputStream; 30 import java.io.ByteArrayOutputStream; 31 import java.io.IOException; 32 import java.io.InputStream; 33 import java.io.InputStreamReader; 34 import java.io.OutputStream; 35 import java.math.BigInteger; 36 import java.security.*; 37 import java.security.cert.*; 38 import java.security.cert.Certificate; 39 import java.util.*; 40 41 import javax.security.auth.x500.X500Principal; 42 43 import sun.misc.HexDumpEncoder; 44 import sun.misc.BASE64Decoder; 45 import sun.security.util.*; 46 import sun.security.provider.X509Factory; 47 48 /** 49 * The X509CertImpl class represents an X.509 certificate. These certificates 50 * are widely used to support authentication and other functionality in 51 * Internet security systems. Common applications include Privacy Enhanced 52 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted 53 * software distribution, and Secure Electronic Transactions (SET). There 54 * is a commercial infrastructure ready to manage large scale deployments 55 * of X.509 identity certificates. 56 * 57 * <P>These certificates are managed and vouched for by <em>Certificate 58 * Authorities</em> (CAs). CAs are services which create certificates by 59 * placing data in the X.509 standard format and then digitally signing 60 * that data. Such signatures are quite difficult to forge. CAs act as 61 * trusted third parties, making introductions between agents who have no 62 * direct knowledge of each other. CA certificates are either signed by 63 * themselves, or by some other CA such as a "root" CA. 64 * 65 * <P>RFC 1422 is very informative, though it does not describe much 66 * of the recent work being done with X.509 certificates. That includes 67 * a 1996 version (X.509v3) and a variety of enhancements being made to 68 * facilitate an explosion of personal certificates used as "Internet 69 * Drivers' Licences", or with SET for credit card transactions. 70 * 71 * <P>More recent work includes the IETF PKIX Working Group efforts, 72 * especially RFC2459. 73 * 74 * @author Dave Brownell 75 * @author Amit Kapoor 76 * @author Hemma Prafullchandra 77 * @see X509CertInfo 78 */ 79 public class X509CertImpl extends X509Certificate implements DerEncoder { 80 81 private static final long serialVersionUID = -3457612960190864406L; 82 83 private static final String DOT = "."; 84 /** 85 * Public attribute names. 86 */ 87 public static final String NAME = "x509"; 88 public static final String INFO = X509CertInfo.NAME; 89 public static final String ALG_ID = "algorithm"; 90 public static final String SIGNATURE = "signature"; 91 public static final String SIGNED_CERT = "signed_cert"; 92 93 /** 94 * The following are defined for ease-of-use. These 95 * are the most frequently retrieved attributes. 96 */ 97 // x509.info.subject.dname 98 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT + 99 X509CertInfo.SUBJECT + DOT + 100 CertificateSubjectName.DN_NAME; 101 // x509.info.issuer.dname 102 public static final String ISSUER_DN = NAME + DOT + INFO + DOT + 103 X509CertInfo.ISSUER + DOT + 104 CertificateIssuerName.DN_NAME; 105 // x509.info.serialNumber.number 106 public static final String SERIAL_ID = NAME + DOT + INFO + DOT + 107 X509CertInfo.SERIAL_NUMBER + DOT + 108 CertificateSerialNumber.NUMBER; 109 // x509.info.key.value 110 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT + 111 X509CertInfo.KEY + DOT + 112 CertificateX509Key.KEY; 113 114 // x509.info.version.value 115 public static final String VERSION = NAME + DOT + INFO + DOT + 116 X509CertInfo.VERSION + DOT + 117 CertificateVersion.VERSION; 118 119 // x509.algorithm 120 public static final String SIG_ALG = NAME + DOT + ALG_ID; 121 122 // x509.signature 123 public static final String SIG = NAME + DOT + SIGNATURE; 124 125 // when we sign and decode we set this to true 126 // this is our means to make certificates immutable 127 private boolean readOnly = false; 128 129 // Certificate data, and its envelope 130 private byte[] signedCert = null; 131 protected X509CertInfo info = null; 132 protected AlgorithmId algId = null; 133 protected byte[] signature = null; 134 135 // recognized extension OIDS 136 private static final String KEY_USAGE_OID = "2.5.29.15"; 137 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37"; 138 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19"; 139 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17"; 140 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18"; 141 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1"; 142 143 // number of standard key usage bits. 144 private static final int NUM_STANDARD_KEY_USAGE = 9; 145 146 // SubjectAlterntativeNames cache 147 private Collection<List<?>> subjectAlternativeNames; 148 149 // IssuerAlternativeNames cache 150 private Collection<List<?>> issuerAlternativeNames; 151 152 // ExtendedKeyUsage cache 153 private List<String> extKeyUsage; 154 155 // AuthorityInformationAccess cache 156 private Set<AccessDescription> authInfoAccess; 157 158 /** 159 * PublicKey that has previously been used to verify 160 * the signature of this certificate. Null if the certificate has not 161 * yet been verified. 162 */ 163 private PublicKey verifiedPublicKey; 164 /** 165 * If verifiedPublicKey is not null, name of the provider used to 166 * successfully verify the signature of this certificate, or the 167 * empty String if no provider was explicitly specified. 168 */ 169 private String verifiedProvider; 170 /** 171 * If verifiedPublicKey is not null, result of the verification using 172 * verifiedPublicKey and verifiedProvider. If true, verification was 173 * successful, if false, it failed. 174 */ 175 private boolean verificationResult; 176 177 /** 178 * Default constructor. 179 */ 180 public X509CertImpl() { } 181 182 /** 183 * Unmarshals a certificate from its encoded form, parsing the 184 * encoded bytes. This form of constructor is used by agents which 185 * need to examine and use certificate contents. That is, this is 186 * one of the more commonly used constructors. Note that the buffer 187 * must include only a certificate, and no "garbage" may be left at 188 * the end. If you need to ignore data at the end of a certificate, 189 * use another constructor. 190 * 191 * @param certData the encoded bytes, with no trailing padding. 192 * @exception CertificateException on parsing and initialization errors. 193 */ 194 public X509CertImpl(byte[] certData) throws CertificateException { 195 try { 196 parse(new DerValue(certData)); 197 } catch (IOException e) { 198 signedCert = null; 199 throw new CertificateException("Unable to initialize, " + e, e); 200 } 201 } 202 203 /** 204 * unmarshals an X.509 certificate from an input stream. If the 205 * certificate is RFC1421 hex-encoded, then it must begin with 206 * the line X509Factory.BEGIN_CERT and end with the line 207 * X509Factory.END_CERT. 208 * 209 * @param in an input stream holding at least one certificate that may 210 * be either DER-encoded or RFC1421 hex-encoded version of the 211 * DER-encoded certificate. 212 * @exception CertificateException on parsing and initialization errors. 213 */ 214 public X509CertImpl(InputStream in) throws CertificateException { 215 216 DerValue der = null; 217 218 BufferedInputStream inBuffered = new BufferedInputStream(in); 219 220 // First try reading stream as HEX-encoded DER-encoded bytes, 221 // since not mistakable for raw DER 222 try { 223 inBuffered.mark(Integer.MAX_VALUE); 224 der = readRFC1421Cert(inBuffered); 225 } catch (IOException ioe) { 226 try { 227 // Next, try reading stream as raw DER-encoded bytes 228 inBuffered.reset(); 229 der = new DerValue(inBuffered); 230 } catch (IOException ioe1) { 231 throw new CertificateException("Input stream must be " + 232 "either DER-encoded bytes " + 233 "or RFC1421 hex-encoded " + 234 "DER-encoded bytes: " + 235 ioe1.getMessage(), ioe1); 236 } 237 } 238 try { 239 parse(der); 240 } catch (IOException ioe) { 241 signedCert = null; 242 throw new CertificateException("Unable to parse DER value of " + 243 "certificate, " + ioe, ioe); 244 } 245 } 246 247 /** 248 * read input stream as HEX-encoded DER-encoded bytes 249 * 250 * @param in InputStream to read 251 * @returns DerValue corresponding to decoded HEX-encoded bytes 252 * @throws IOException if stream can not be interpreted as RFC1421 253 * encoded bytes 254 */ 255 private DerValue readRFC1421Cert(InputStream in) throws IOException { 256 DerValue der = null; 257 String line = null; 258 BufferedReader certBufferedReader = 259 new BufferedReader(new InputStreamReader(in, "ASCII")); 260 try { 261 line = certBufferedReader.readLine(); 262 } catch (IOException ioe1) { 263 throw new IOException("Unable to read InputStream: " + 264 ioe1.getMessage()); 265 } 266 if (line.equals(X509Factory.BEGIN_CERT)) { 267 /* stream appears to be hex-encoded bytes */ 268 BASE64Decoder decoder = new BASE64Decoder(); 269 ByteArrayOutputStream decstream = new ByteArrayOutputStream(); 270 try { 271 while ((line = certBufferedReader.readLine()) != null) { 272 if (line.equals(X509Factory.END_CERT)) { 273 der = new DerValue(decstream.toByteArray()); 274 break; 275 } else { 276 decstream.write(decoder.decodeBuffer(line)); 277 } 278 } 279 } catch (IOException ioe2) { 280 throw new IOException("Unable to read InputStream: " 281 + ioe2.getMessage()); 282 } 283 } else { 284 throw new IOException("InputStream is not RFC1421 hex-encoded " + 285 "DER bytes"); 286 } 287 return der; 288 } 289 290 /** 291 * Construct an initialized X509 Certificate. The certificate is stored 292 * in raw form and has to be signed to be useful. 293 * 294 * @params info the X509CertificateInfo which the Certificate is to be 295 * created from. 296 */ 297 public X509CertImpl(X509CertInfo certInfo) { 298 this.info = certInfo; 299 } 300 301 /** 302 * Unmarshal a certificate from its encoded form, parsing a DER value. 303 * This form of constructor is used by agents which need to examine 304 * and use certificate contents. 305 * 306 * @param derVal the der value containing the encoded cert. 307 * @exception CertificateException on parsing and initialization errors. 308 */ 309 public X509CertImpl(DerValue derVal) throws CertificateException { 310 try { 311 parse(derVal); 312 } catch (IOException e) { 313 signedCert = null; 314 throw new CertificateException("Unable to initialize, " + e, e); 315 } 316 } 317 318 /** 319 * Appends the certificate to an output stream. 320 * 321 * @param out an input stream to which the certificate is appended. 322 * @exception CertificateEncodingException on encoding errors. 323 */ 324 public void encode(OutputStream out) 325 throws CertificateEncodingException { 326 if (signedCert == null) 327 throw new CertificateEncodingException( 328 "Null certificate to encode"); 329 try { 330 out.write(signedCert.clone()); 331 } catch (IOException e) { 332 throw new CertificateEncodingException(e.toString()); 333 } 334 } 335 336 /** 337 * DER encode this object onto an output stream. 338 * Implements the <code>DerEncoder</code> interface. 339 * 340 * @param out the output stream on which to write the DER encoding. 341 * 342 * @exception IOException on encoding error. 343 */ 344 public void derEncode(OutputStream out) throws IOException { 345 if (signedCert == null) 346 throw new IOException("Null certificate to encode"); 347 out.write(signedCert.clone()); 348 } 349 350 /** 351 * Returns the encoded form of this certificate. It is 352 * assumed that each certificate type would have only a single 353 * form of encoding; for example, X.509 certificates would 354 * be encoded as ASN.1 DER. 355 * 356 * @exception CertificateEncodingException if an encoding error occurs. 357 */ 358 public byte[] getEncoded() throws CertificateEncodingException { 359 return getEncodedInternal().clone(); 360 } 361 362 /** 363 * Returned the encoding as an uncloned byte array. Callers must 364 * guarantee that they neither modify it nor expose it to untrusted 365 * code. 366 */ 367 public byte[] getEncodedInternal() throws CertificateEncodingException { 368 if (signedCert == null) { 369 throw new CertificateEncodingException( 370 "Null certificate to encode"); 371 } 372 return signedCert; 373 } 374 375 /** 376 * Throws an exception if the certificate was not signed using the 377 * verification key provided. Successfully verifying a certificate 378 * does <em>not</em> indicate that one should trust the entity which 379 * it represents. 380 * 381 * @param key the public key used for verification. 382 * 383 * @exception InvalidKeyException on incorrect key. 384 * @exception NoSuchAlgorithmException on unsupported signature 385 * algorithms. 386 * @exception NoSuchProviderException if there's no default provider. 387 * @exception SignatureException on signature errors. 388 * @exception CertificateException on encoding errors. 389 */ 390 public void verify(PublicKey key) 391 throws CertificateException, NoSuchAlgorithmException, 392 InvalidKeyException, NoSuchProviderException, SignatureException { 393 394 verify(key, ""); 395 } 396 397 /** 398 * Throws an exception if the certificate was not signed using the 399 * verification key provided. Successfully verifying a certificate 400 * does <em>not</em> indicate that one should trust the entity which 401 * it represents. 402 * 403 * @param key the public key used for verification. 404 * @param sigProvider the name of the provider. 405 * 406 * @exception NoSuchAlgorithmException on unsupported signature 407 * algorithms. 408 * @exception InvalidKeyException on incorrect key. 409 * @exception NoSuchProviderException on incorrect provider. 410 * @exception SignatureException on signature errors. 411 * @exception CertificateException on encoding errors. 412 */ 413 public synchronized void verify(PublicKey key, String sigProvider) 414 throws CertificateException, NoSuchAlgorithmException, 415 InvalidKeyException, NoSuchProviderException, SignatureException { 416 if (sigProvider == null) { 417 sigProvider = ""; 418 } 419 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { 420 // this certificate has already been verified using 421 // this public key. Make sure providers match, too. 422 if (sigProvider.equals(verifiedProvider)) { 423 if (verificationResult) { 424 return; 425 } else { 426 throw new SignatureException("Signature does not match."); 427 } 428 } 429 } 430 if (signedCert == null) { 431 throw new CertificateEncodingException("Uninitialized certificate"); 432 } 433 // Verify the signature ... 434 Signature sigVerf = null; 435 if (sigProvider.length() == 0) { 436 sigVerf = Signature.getInstance(algId.getName()); 437 } else { 438 sigVerf = Signature.getInstance(algId.getName(), sigProvider); 439 } 440 sigVerf.initVerify(key); 441 442 byte[] rawCert = info.getEncodedInfo(); 443 sigVerf.update(rawCert, 0, rawCert.length); 444 445 // verify may throw SignatureException for invalid encodings, etc. 446 verificationResult = sigVerf.verify(signature); 447 verifiedPublicKey = key; 448 verifiedProvider = sigProvider; 449 450 if (verificationResult == false) { 451 throw new SignatureException("Signature does not match."); 452 } 453 } 454 455 /** 456 * Creates an X.509 certificate, and signs it using the given key 457 * (associating a signature algorithm and an X.500 name). 458 * This operation is used to implement the certificate generation 459 * functionality of a certificate authority. 460 * 461 * @param key the private key used for signing. 462 * @param algorithm the name of the signature algorithm used. 463 * 464 * @exception InvalidKeyException on incorrect key. 465 * @exception NoSuchAlgorithmException on unsupported signature 466 * algorithms. 467 * @exception NoSuchProviderException if there's no default provider. 468 * @exception SignatureException on signature errors. 469 * @exception CertificateException on encoding errors. 470 */ 471 public void sign(PrivateKey key, String algorithm) 472 throws CertificateException, NoSuchAlgorithmException, 473 InvalidKeyException, NoSuchProviderException, SignatureException { 474 sign(key, algorithm, null); 475 } 476 477 /** 478 * Creates an X.509 certificate, and signs it using the given key 479 * (associating a signature algorithm and an X.500 name). 480 * This operation is used to implement the certificate generation 481 * functionality of a certificate authority. 482 * 483 * @param key the private key used for signing. 484 * @param algorithm the name of the signature algorithm used. 485 * @param provider the name of the provider. 486 * 487 * @exception NoSuchAlgorithmException on unsupported signature 488 * algorithms. 489 * @exception InvalidKeyException on incorrect key. 490 * @exception NoSuchProviderException on incorrect provider. 491 * @exception SignatureException on signature errors. 492 * @exception CertificateException on encoding errors. 493 */ 494 public void sign(PrivateKey key, String algorithm, String provider) 495 throws CertificateException, NoSuchAlgorithmException, 496 InvalidKeyException, NoSuchProviderException, SignatureException { 497 try { 498 if (readOnly) 499 throw new CertificateEncodingException( 500 "cannot over-write existing certificate"); 501 Signature sigEngine = null; 502 if ((provider == null) || (provider.length() == 0)) 503 sigEngine = Signature.getInstance(algorithm); 504 else 505 sigEngine = Signature.getInstance(algorithm, provider); 506 507 sigEngine.initSign(key); 508 509 // in case the name is reset 510 algId = AlgorithmId.get(sigEngine.getAlgorithm()); 511 512 DerOutputStream out = new DerOutputStream(); 513 DerOutputStream tmp = new DerOutputStream(); 514 515 // encode certificate info 516 info.encode(tmp); 517 byte[] rawCert = tmp.toByteArray(); 518 519 // encode algorithm identifier 520 algId.encode(tmp); 521 522 // Create and encode the signature itself. 523 sigEngine.update(rawCert, 0, rawCert.length); 524 signature = sigEngine.sign(); 525 tmp.putBitString(signature); 526 527 // Wrap the signed data in a SEQUENCE { data, algorithm, sig } 528 out.write(DerValue.tag_Sequence, tmp); 529 signedCert = out.toByteArray(); 530 readOnly = true; 531 532 } catch (IOException e) { 533 throw new CertificateEncodingException(e.toString()); 534 } 535 } 536 537 /** 538 * Checks that the certificate is currently valid, i.e. the current 539 * time is within the specified validity period. 540 * 541 * @exception CertificateExpiredException if the certificate has expired. 542 * @exception CertificateNotYetValidException if the certificate is not 543 * yet valid. 544 */ 545 public void checkValidity() 546 throws CertificateExpiredException, CertificateNotYetValidException { 547 Date date = new Date(); 548 checkValidity(date); 549 } 550 551 /** 552 * Checks that the specified date is within the certificate's 553 * validity period, or basically if the certificate would be 554 * valid at the specified date/time. 555 * 556 * @param date the Date to check against to see if this certificate 557 * is valid at that date/time. 558 * 559 * @exception CertificateExpiredException if the certificate has expired 560 * with respect to the <code>date</code> supplied. 561 * @exception CertificateNotYetValidException if the certificate is not 562 * yet valid with respect to the <code>date</code> supplied. 563 */ 564 public void checkValidity(Date date) 565 throws CertificateExpiredException, CertificateNotYetValidException { 566 567 CertificateValidity interval = null; 568 try { 569 interval = (CertificateValidity)info.get(CertificateValidity.NAME); 570 } catch (Exception e) { 571 throw new CertificateNotYetValidException("Incorrect validity period"); 572 } 573 if (interval == null) 574 throw new CertificateNotYetValidException("Null validity period"); 575 interval.valid(date); 576 } 577 578 /** 579 * Return the requested attribute from the certificate. 580 * 581 * Note that the X509CertInfo is not cloned for performance reasons. 582 * Callers must ensure that they do not modify it. All other 583 * attributes are cloned. 584 * 585 * @param name the name of the attribute. 586 * @exception CertificateParsingException on invalid attribute identifier. 587 */ 588 public Object get(String name) 589 throws CertificateParsingException { 590 X509AttributeName attr = new X509AttributeName(name); 591 String id = attr.getPrefix(); 592 if (!(id.equalsIgnoreCase(NAME))) { 593 throw new CertificateParsingException("Invalid root of " 594 + "attribute name, expected [" + NAME + 595 "], received " + "[" + id + "]"); 596 } 597 attr = new X509AttributeName(attr.getSuffix()); 598 id = attr.getPrefix(); 599 600 if (id.equalsIgnoreCase(INFO)) { 601 if (info == null) { 602 return null; 603 } 604 if (attr.getSuffix() != null) { 605 try { 606 return info.get(attr.getSuffix()); 607 } catch (IOException e) { 608 throw new CertificateParsingException(e.toString()); 609 } catch (CertificateException e) { 610 throw new CertificateParsingException(e.toString()); 611 } 612 } else { 613 return info; 614 } 615 } else if (id.equalsIgnoreCase(ALG_ID)) { 616 return(algId); 617 } else if (id.equalsIgnoreCase(SIGNATURE)) { 618 if (signature != null) 619 return signature.clone(); 620 else 621 return null; 622 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 623 if (signedCert != null) 624 return signedCert.clone(); 625 else 626 return null; 627 } else { 628 throw new CertificateParsingException("Attribute name not " 629 + "recognized or get() not allowed for the same: " + id); 630 } 631 } 632 633 /** 634 * Set the requested attribute in the certificate. 635 * 636 * @param name the name of the attribute. 637 * @param obj the value of the attribute. 638 * @exception CertificateException on invalid attribute identifier. 639 * @exception IOException on encoding error of attribute. 640 */ 641 public void set(String name, Object obj) 642 throws CertificateException, IOException { 643 // check if immutable 644 if (readOnly) 645 throw new CertificateException("cannot over-write existing" 646 + " certificate"); 647 648 X509AttributeName attr = new X509AttributeName(name); 649 String id = attr.getPrefix(); 650 if (!(id.equalsIgnoreCase(NAME))) { 651 throw new CertificateException("Invalid root of attribute name," 652 + " expected [" + NAME + "], received " + id); 653 } 654 attr = new X509AttributeName(attr.getSuffix()); 655 id = attr.getPrefix(); 656 657 if (id.equalsIgnoreCase(INFO)) { 658 if (attr.getSuffix() == null) { 659 if (!(obj instanceof X509CertInfo)) { 660 throw new CertificateException("Attribute value should" 661 + " be of type X509CertInfo."); 662 } 663 info = (X509CertInfo)obj; 664 signedCert = null; //reset this as certificate data has changed 665 } else { 666 info.set(attr.getSuffix(), obj); 667 signedCert = null; //reset this as certificate data has changed 668 } 669 } else { 670 throw new CertificateException("Attribute name not recognized or " + 671 "set() not allowed for the same: " + id); 672 } 673 } 674 675 /** 676 * Delete the requested attribute from the certificate. 677 * 678 * @param name the name of the attribute. 679 * @exception CertificateException on invalid attribute identifier. 680 * @exception IOException on other errors. 681 */ 682 public void delete(String name) 683 throws CertificateException, IOException { 684 // check if immutable 685 if (readOnly) 686 throw new CertificateException("cannot over-write existing" 687 + " certificate"); 688 689 X509AttributeName attr = new X509AttributeName(name); 690 String id = attr.getPrefix(); 691 if (!(id.equalsIgnoreCase(NAME))) { 692 throw new CertificateException("Invalid root of attribute name," 693 + " expected [" 694 + NAME + "], received " + id); 695 } 696 attr = new X509AttributeName(attr.getSuffix()); 697 id = attr.getPrefix(); 698 699 if (id.equalsIgnoreCase(INFO)) { 700 if (attr.getSuffix() != null) { 701 info = null; 702 } else { 703 info.delete(attr.getSuffix()); 704 } 705 } else if (id.equalsIgnoreCase(ALG_ID)) { 706 algId = null; 707 } else if (id.equalsIgnoreCase(SIGNATURE)) { 708 signature = null; 709 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 710 signedCert = null; 711 } else { 712 throw new CertificateException("Attribute name not recognized or " + 713 "delete() not allowed for the same: " + id); 714 } 715 } 716 717 /** 718 * Return an enumeration of names of attributes existing within this 719 * attribute. 720 */ 721 public Enumeration<String> getElements() { 722 AttributeNameEnumeration elements = new AttributeNameEnumeration(); 723 elements.addElement(NAME + DOT + INFO); 724 elements.addElement(NAME + DOT + ALG_ID); 725 elements.addElement(NAME + DOT + SIGNATURE); 726 elements.addElement(NAME + DOT + SIGNED_CERT); 727 728 return elements.elements(); 729 } 730 731 /** 732 * Return the name of this attribute. 733 */ 734 public String getName() { 735 return(NAME); 736 } 737 738 /** 739 * Returns a printable representation of the certificate. This does not 740 * contain all the information available to distinguish this from any 741 * other certificate. The certificate must be fully constructed 742 * before this function may be called. 743 */ 744 public String toString() { 745 if (info == null || algId == null || signature == null) 746 return ""; 747 748 StringBuilder sb = new StringBuilder(); 749 750 sb.append("[\n"); 751 sb.append(info.toString() + "\n"); 752 sb.append(" Algorithm: [" + algId.toString() + "]\n"); 753 754 HexDumpEncoder encoder = new HexDumpEncoder(); 755 sb.append(" Signature:\n" + encoder.encodeBuffer(signature)); 756 sb.append("\n]"); 757 758 return sb.toString(); 759 } 760 761 // the strongly typed gets, as per java.security.cert.X509Certificate 762 763 /** 764 * Gets the publickey from this certificate. 765 * 766 * @return the publickey. 767 */ 768 public PublicKey getPublicKey() { 769 if (info == null) 770 return null; 771 try { 772 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME 773 + DOT + CertificateX509Key.KEY); 774 return key; 775 } catch (Exception e) { 776 return null; 777 } 778 } 779 780 /** 781 * Gets the version number from the certificate. 782 * 783 * @return the version number, i.e. 1, 2 or 3. 784 */ 785 public int getVersion() { 786 if (info == null) 787 return -1; 788 try { 789 int vers = ((Integer)info.get(CertificateVersion.NAME 790 + DOT + CertificateVersion.VERSION)).intValue(); 791 return vers+1; 792 } catch (Exception e) { 793 return -1; 794 } 795 } 796 797 /** 798 * Gets the serial number from the certificate. 799 * 800 * @return the serial number. 801 */ 802 public BigInteger getSerialNumber() { 803 SerialNumber ser = getSerialNumberObject(); 804 805 return ser != null ? ser.getNumber() : null; 806 } 807 808 /** 809 * Gets the serial number from the certificate as 810 * a SerialNumber object. 811 * 812 * @return the serial number. 813 */ 814 public SerialNumber getSerialNumberObject() { 815 if (info == null) 816 return null; 817 try { 818 SerialNumber ser = (SerialNumber)info.get( 819 CertificateSerialNumber.NAME + DOT + 820 CertificateSerialNumber.NUMBER); 821 return ser; 822 } catch (Exception e) { 823 return null; 824 } 825 } 826 827 828 /** 829 * Gets the subject distinguished name from the certificate. 830 * 831 * @return the subject name. 832 */ 833 public Principal getSubjectDN() { 834 if (info == null) 835 return null; 836 try { 837 Principal subject = (Principal)info.get( 838 CertificateSubjectName.NAME + DOT + 839 CertificateSubjectName.DN_NAME); 840 return subject; 841 } catch (Exception e) { 842 return null; 843 } 844 } 845 846 /** 847 * Get subject name as X500Principal. Overrides implementation in 848 * X509Certificate with a slightly more efficient version that is 849 * also aware of X509CertImpl mutability. 850 */ 851 public X500Principal getSubjectX500Principal() { 852 if (info == null) { 853 return null; 854 } 855 try { 856 X500Principal subject = (X500Principal)info.get( 857 CertificateSubjectName.NAME + DOT + 858 CertificateSubjectName.DN_PRINCIPAL); 859 return subject; 860 } catch (Exception e) { 861 return null; 862 } 863 } 864 865 /** 866 * Gets the issuer distinguished name from the certificate. 867 * 868 * @return the issuer name. 869 */ 870 public Principal getIssuerDN() { 871 if (info == null) 872 return null; 873 try { 874 Principal issuer = (Principal)info.get( 875 CertificateIssuerName.NAME + DOT + 876 CertificateIssuerName.DN_NAME); 877 return issuer; 878 } catch (Exception e) { 879 return null; 880 } 881 } 882 883 /** 884 * Get issuer name as X500Principal. Overrides implementation in 885 * X509Certificate with a slightly more efficient version that is 886 * also aware of X509CertImpl mutability. 887 */ 888 public X500Principal getIssuerX500Principal() { 889 if (info == null) { 890 return null; 891 } 892 try { 893 X500Principal issuer = (X500Principal)info.get( 894 CertificateIssuerName.NAME + DOT + 895 CertificateIssuerName.DN_PRINCIPAL); 896 return issuer; 897 } catch (Exception e) { 898 return null; 899 } 900 } 901 902 /** 903 * Gets the notBefore date from the validity period of the certificate. 904 * 905 * @return the start date of the validity period. 906 */ 907 public Date getNotBefore() { 908 if (info == null) 909 return null; 910 try { 911 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 912 CertificateValidity.NOT_BEFORE); 913 return d; 914 } catch (Exception e) { 915 return null; 916 } 917 } 918 919 /** 920 * Gets the notAfter date from the validity period of the certificate. 921 * 922 * @return the end date of the validity period. 923 */ 924 public Date getNotAfter() { 925 if (info == null) 926 return null; 927 try { 928 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 929 CertificateValidity.NOT_AFTER); 930 return d; 931 } catch (Exception e) { 932 return null; 933 } 934 } 935 936 /** 937 * Gets the DER encoded certificate informations, the 938 * <code>tbsCertificate</code> from this certificate. 939 * This can be used to verify the signature independently. 940 * 941 * @return the DER encoded certificate information. 942 * @exception CertificateEncodingException if an encoding error occurs. 943 */ 944 public byte[] getTBSCertificate() throws CertificateEncodingException { 945 if (info != null) { 946 return info.getEncodedInfo(); 947 } else 948 throw new CertificateEncodingException("Uninitialized certificate"); 949 } 950 951 /** 952 * Gets the raw Signature bits from the certificate. 953 * 954 * @return the signature. 955 */ 956 public byte[] getSignature() { 957 if (signature == null) 958 return null; 959 byte[] dup = new byte[signature.length]; 960 System.arraycopy(signature, 0, dup, 0, dup.length); 961 return dup; 962 } 963 964 /** 965 * Gets the signature algorithm name for the certificate 966 * signature algorithm. 967 * For example, the string "SHA-1/DSA" or "DSS". 968 * 969 * @return the signature algorithm name. 970 */ 971 public String getSigAlgName() { 972 if (algId == null) 973 return null; 974 return (algId.getName()); 975 } 976 977 /** 978 * Gets the signature algorithm OID string from the certificate. 979 * For example, the string "1.2.840.10040.4.3" 980 * 981 * @return the signature algorithm oid string. 982 */ 983 public String getSigAlgOID() { 984 if (algId == null) 985 return null; 986 ObjectIdentifier oid = algId.getOID(); 987 return (oid.toString()); 988 } 989 990 /** 991 * Gets the DER encoded signature algorithm parameters from this 992 * certificate's signature algorithm. 993 * 994 * @return the DER encoded signature algorithm parameters, or 995 * null if no parameters are present. 996 */ 997 public byte[] getSigAlgParams() { 998 if (algId == null) 999 return null; 1000 try { 1001 return algId.getEncodedParams(); 1002 } catch (IOException e) { 1003 return null; 1004 } 1005 } 1006 1007 /** 1008 * Gets the Issuer Unique Identity from the certificate. 1009 * 1010 * @return the Issuer Unique Identity. 1011 */ 1012 public boolean[] getIssuerUniqueID() { 1013 if (info == null) 1014 return null; 1015 try { 1016 UniqueIdentity id = (UniqueIdentity)info.get( 1017 CertificateIssuerUniqueIdentity.NAME 1018 + DOT + CertificateIssuerUniqueIdentity.ID); 1019 if (id == null) 1020 return null; 1021 else 1022 return (id.getId()); 1023 } catch (Exception e) { 1024 return null; 1025 } 1026 } 1027 1028 /** 1029 * Gets the Subject Unique Identity from the certificate. 1030 * 1031 * @return the Subject Unique Identity. 1032 */ 1033 public boolean[] getSubjectUniqueID() { 1034 if (info == null) 1035 return null; 1036 try { 1037 UniqueIdentity id = (UniqueIdentity)info.get( 1038 CertificateSubjectUniqueIdentity.NAME 1039 + DOT + CertificateSubjectUniqueIdentity.ID); 1040 if (id == null) 1041 return null; 1042 else 1043 return (id.getId()); 1044 } catch (Exception e) { 1045 return null; 1046 } 1047 } 1048 1049 /** 1050 * Get AuthorityKeyIdentifier extension 1051 * @return AuthorityKeyIdentifier object or null (if no such object 1052 * in certificate) 1053 */ 1054 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension() 1055 { 1056 return (AuthorityKeyIdentifierExtension) 1057 getExtension(PKIXExtensions.AuthorityKey_Id); 1058 } 1059 1060 /** 1061 * Return the issuing authority's key identifier bytes, or null 1062 */ 1063 public byte[] getIssuerKeyIdentifier() 1064 { 1065 byte[] issuerKeyId = null; 1066 AuthorityKeyIdentifierExtension aki = 1067 getAuthorityKeyIdentifierExtension(); 1068 1069 if (aki != null) { 1070 1071 try { 1072 KeyIdentifier ki = 1073 ((KeyIdentifier) aki.get( 1074 AuthorityKeyIdentifierExtension.KEY_ID)); 1075 if (ki != null) { 1076 issuerKeyId = ki.getIdentifier(); 1077 } 1078 } catch (IOException e) { 1079 // should never happen (because KEY_ID attr is supported) 1080 } 1081 } 1082 1083 return issuerKeyId; 1084 } 1085 1086 /** 1087 * Get BasicConstraints extension 1088 * @return BasicConstraints object or null (if no such object in 1089 * certificate) 1090 */ 1091 public BasicConstraintsExtension getBasicConstraintsExtension() { 1092 return (BasicConstraintsExtension) 1093 getExtension(PKIXExtensions.BasicConstraints_Id); 1094 } 1095 1096 /** 1097 * Get CertificatePoliciesExtension 1098 * @return CertificatePoliciesExtension or null (if no such object in 1099 * certificate) 1100 */ 1101 public CertificatePoliciesExtension getCertificatePoliciesExtension() { 1102 return (CertificatePoliciesExtension) 1103 getExtension(PKIXExtensions.CertificatePolicies_Id); 1104 } 1105 1106 /** 1107 * Get ExtendedKeyUsage extension 1108 * @return ExtendedKeyUsage extension object or null (if no such object 1109 * in certificate) 1110 */ 1111 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() { 1112 return (ExtendedKeyUsageExtension) 1113 getExtension(PKIXExtensions.ExtendedKeyUsage_Id); 1114 } 1115 1116 /** 1117 * Get IssuerAlternativeName extension 1118 * @return IssuerAlternativeName object or null (if no such object in 1119 * certificate) 1120 */ 1121 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() { 1122 return (IssuerAlternativeNameExtension) 1123 getExtension(PKIXExtensions.IssuerAlternativeName_Id); 1124 } 1125 1126 /** 1127 * Get NameConstraints extension 1128 * @return NameConstraints object or null (if no such object in certificate) 1129 */ 1130 public NameConstraintsExtension getNameConstraintsExtension() { 1131 return (NameConstraintsExtension) 1132 getExtension(PKIXExtensions.NameConstraints_Id); 1133 } 1134 1135 /** 1136 * Get PolicyConstraints extension 1137 * @return PolicyConstraints object or null (if no such object in 1138 * certificate) 1139 */ 1140 public PolicyConstraintsExtension getPolicyConstraintsExtension() { 1141 return (PolicyConstraintsExtension) 1142 getExtension(PKIXExtensions.PolicyConstraints_Id); 1143 } 1144 1145 /** 1146 * Get PolicyMappingsExtension extension 1147 * @return PolicyMappingsExtension object or null (if no such object 1148 * in certificate) 1149 */ 1150 public PolicyMappingsExtension getPolicyMappingsExtension() { 1151 return (PolicyMappingsExtension) 1152 getExtension(PKIXExtensions.PolicyMappings_Id); 1153 } 1154 1155 /** 1156 * Get PrivateKeyUsage extension 1157 * @return PrivateKeyUsage object or null (if no such object in certificate) 1158 */ 1159 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() { 1160 return (PrivateKeyUsageExtension) 1161 getExtension(PKIXExtensions.PrivateKeyUsage_Id); 1162 } 1163 1164 /** 1165 * Get SubjectAlternativeName extension 1166 * @return SubjectAlternativeName object or null (if no such object in 1167 * certificate) 1168 */ 1169 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension() 1170 { 1171 return (SubjectAlternativeNameExtension) 1172 getExtension(PKIXExtensions.SubjectAlternativeName_Id); 1173 } 1174 1175 /** 1176 * Get SubjectKeyIdentifier extension 1177 * @return SubjectKeyIdentifier object or null (if no such object in 1178 * certificate) 1179 */ 1180 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() { 1181 return (SubjectKeyIdentifierExtension) 1182 getExtension(PKIXExtensions.SubjectKey_Id); 1183 } 1184 1185 /** 1186 * Returns the subject's key identifier bytes, or null 1187 */ 1188 public byte[] getSubjectKeyIdentifier() 1189 { 1190 byte[] subjectKeyId = null; 1191 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension(); 1192 1193 if (ski != null) { 1194 1195 try { 1196 KeyIdentifier ki = 1197 ((KeyIdentifier) ski.get( 1198 SubjectKeyIdentifierExtension.KEY_ID)); 1199 if (ki != null) { 1200 subjectKeyId = ki.getIdentifier(); 1201 } 1202 } catch (IOException e) { 1203 // should never happen (because KEY_ID attr is supported) 1204 } 1205 } 1206 1207 return subjectKeyId; 1208 } 1209 1210 /** 1211 * Get CRLDistributionPoints extension 1212 * @return CRLDistributionPoints object or null (if no such object in 1213 * certificate) 1214 */ 1215 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() { 1216 return (CRLDistributionPointsExtension) 1217 getExtension(PKIXExtensions.CRLDistributionPoints_Id); 1218 } 1219 1220 /** 1221 * Return true if a critical extension is found that is 1222 * not supported, otherwise return false. 1223 */ 1224 public boolean hasUnsupportedCriticalExtension() { 1225 if (info == null) 1226 return false; 1227 try { 1228 CertificateExtensions exts = (CertificateExtensions)info.get( 1229 CertificateExtensions.NAME); 1230 if (exts == null) 1231 return false; 1232 return exts.hasUnsupportedCriticalExtension(); 1233 } catch (Exception e) { 1234 return false; 1235 } 1236 } 1237 1238 /** 1239 * Gets a Set of the extension(s) marked CRITICAL in the 1240 * certificate. In the returned set, each extension is 1241 * represented by its OID string. 1242 * 1243 * @return a set of the extension oid strings in the 1244 * certificate that are marked critical. 1245 */ 1246 public Set<String> getCriticalExtensionOIDs() { 1247 if (info == null) { 1248 return null; 1249 } 1250 try { 1251 CertificateExtensions exts = (CertificateExtensions)info.get( 1252 CertificateExtensions.NAME); 1253 if (exts == null) { 1254 return null; 1255 } 1256 Set<String> extSet = new TreeSet<>(); 1257 for (Extension ex : exts.getAllExtensions()) { 1258 if (ex.isCritical()) { 1259 extSet.add(ex.getExtensionId().toString()); 1260 } 1261 } 1262 return extSet; 1263 } catch (Exception e) { 1264 return null; 1265 } 1266 } 1267 1268 /** 1269 * Gets a Set of the extension(s) marked NON-CRITICAL in the 1270 * certificate. In the returned set, each extension is 1271 * represented by its OID string. 1272 * 1273 * @return a set of the extension oid strings in the 1274 * certificate that are NOT marked critical. 1275 */ 1276 public Set<String> getNonCriticalExtensionOIDs() { 1277 if (info == null) { 1278 return null; 1279 } 1280 try { 1281 CertificateExtensions exts = (CertificateExtensions)info.get( 1282 CertificateExtensions.NAME); 1283 if (exts == null) { 1284 return null; 1285 } 1286 Set<String> extSet = new TreeSet<>(); 1287 for (Extension ex : exts.getAllExtensions()) { 1288 if (!ex.isCritical()) { 1289 extSet.add(ex.getExtensionId().toString()); 1290 } 1291 } 1292 extSet.addAll(exts.getUnparseableExtensions().keySet()); 1293 return extSet; 1294 } catch (Exception e) { 1295 return null; 1296 } 1297 } 1298 1299 /** 1300 * Gets the extension identified by the given ObjectIdentifier 1301 * 1302 * @param oid the Object Identifier value for the extension. 1303 * @return Extension or null if certificate does not contain this 1304 * extension 1305 */ 1306 public Extension getExtension(ObjectIdentifier oid) { 1307 if (info == null) { 1308 return null; 1309 } 1310 try { 1311 CertificateExtensions extensions; 1312 try { 1313 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1314 } catch (CertificateException ce) { 1315 return null; 1316 } 1317 if (extensions == null) { 1318 return null; 1319 } else { 1320 Extension ex = extensions.getExtension(oid.toString()); 1321 if (ex != null) { 1322 return ex; 1323 } 1324 for (Extension ex2: extensions.getAllExtensions()) { 1325 if (ex2.getExtensionId().equals((Object)oid)) { 1326 //XXXX May want to consider cloning this 1327 return ex2; 1328 } 1329 } 1330 /* no such extension in this certificate */ 1331 return null; 1332 } 1333 } catch (IOException ioe) { 1334 return null; 1335 } 1336 } 1337 1338 public Extension getUnparseableExtension(ObjectIdentifier oid) { 1339 if (info == null) { 1340 return null; 1341 } 1342 try { 1343 CertificateExtensions extensions; 1344 try { 1345 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1346 } catch (CertificateException ce) { 1347 return null; 1348 } 1349 if (extensions == null) { 1350 return null; 1351 } else { 1352 return extensions.getUnparseableExtensions().get(oid.toString()); 1353 } 1354 } catch (IOException ioe) { 1355 return null; 1356 } 1357 } 1358 1359 /** 1360 * Gets the DER encoded extension identified by the given 1361 * oid String. 1362 * 1363 * @param oid the Object Identifier value for the extension. 1364 */ 1365 public byte[] getExtensionValue(String oid) { 1366 try { 1367 ObjectIdentifier findOID = new ObjectIdentifier(oid); 1368 String extAlias = OIDMap.getName(findOID); 1369 Extension certExt = null; 1370 CertificateExtensions exts = (CertificateExtensions)info.get( 1371 CertificateExtensions.NAME); 1372 1373 if (extAlias == null) { // may be unknown 1374 // get the extensions, search thru' for this oid 1375 if (exts == null) { 1376 return null; 1377 } 1378 1379 for (Extension ex : exts.getAllExtensions()) { 1380 ObjectIdentifier inCertOID = ex.getExtensionId(); 1381 if (inCertOID.equals((Object)findOID)) { 1382 certExt = ex; 1383 break; 1384 } 1385 } 1386 } else { // there's sub-class that can handle this extension 1387 try { 1388 certExt = (Extension)this.get(extAlias); 1389 } catch (CertificateException e) { 1390 // get() throws an Exception instead of returning null, ignore 1391 } 1392 } 1393 if (certExt == null) { 1394 if (exts != null) { 1395 certExt = exts.getUnparseableExtensions().get(oid); 1396 } 1397 if (certExt == null) { 1398 return null; 1399 } 1400 } 1401 byte[] extData = certExt.getExtensionValue(); 1402 if (extData == null) { 1403 return null; 1404 } 1405 DerOutputStream out = new DerOutputStream(); 1406 out.putOctetString(extData); 1407 return out.toByteArray(); 1408 } catch (Exception e) { 1409 return null; 1410 } 1411 } 1412 1413 /** 1414 * Get a boolean array representing the bits of the KeyUsage extension, 1415 * (oid = 2.5.29.15). 1416 * @return the bit values of this extension as an array of booleans. 1417 */ 1418 public boolean[] getKeyUsage() { 1419 try { 1420 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id); 1421 if (extAlias == null) 1422 return null; 1423 1424 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias); 1425 if (certExt == null) 1426 return null; 1427 1428 boolean[] ret = certExt.getBits(); 1429 if (ret.length < NUM_STANDARD_KEY_USAGE) { 1430 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE]; 1431 System.arraycopy(ret, 0, usageBits, 0, ret.length); 1432 ret = usageBits; 1433 } 1434 return ret; 1435 } catch (Exception e) { 1436 return null; 1437 } 1438 } 1439 1440 /** 1441 * This method are the overridden implementation of 1442 * getExtendedKeyUsage method in X509Certificate in the Sun 1443 * provider. It is better performance-wise since it returns cached 1444 * values. 1445 */ 1446 public synchronized List<String> getExtendedKeyUsage() 1447 throws CertificateParsingException { 1448 if (readOnly && extKeyUsage != null) { 1449 return extKeyUsage; 1450 } else { 1451 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension(); 1452 if (ext == null) { 1453 return null; 1454 } 1455 extKeyUsage = 1456 Collections.unmodifiableList(ext.getExtendedKeyUsage()); 1457 return extKeyUsage; 1458 } 1459 } 1460 1461 /** 1462 * This static method is the default implementation of the 1463 * getExtendedKeyUsage method in X509Certificate. A 1464 * X509Certificate provider generally should overwrite this to 1465 * provide among other things caching for better performance. 1466 */ 1467 public static List<String> getExtendedKeyUsage(X509Certificate cert) 1468 throws CertificateParsingException { 1469 try { 1470 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID); 1471 if (ext == null) 1472 return null; 1473 DerValue val = new DerValue(ext); 1474 byte[] data = val.getOctetString(); 1475 1476 ExtendedKeyUsageExtension ekuExt = 1477 new ExtendedKeyUsageExtension(Boolean.FALSE, data); 1478 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage()); 1479 } catch (IOException ioe) { 1480 throw new CertificateParsingException(ioe); 1481 } 1482 } 1483 1484 /** 1485 * Get the certificate constraints path length from the 1486 * the critical BasicConstraints extension, (oid = 2.5.29.19). 1487 * @return the length of the constraint. 1488 */ 1489 public int getBasicConstraints() { 1490 try { 1491 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id); 1492 if (extAlias == null) 1493 return -1; 1494 BasicConstraintsExtension certExt = 1495 (BasicConstraintsExtension)this.get(extAlias); 1496 if (certExt == null) 1497 return -1; 1498 1499 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA) 1500 ).booleanValue() == true) 1501 return ((Integer)certExt.get( 1502 BasicConstraintsExtension.PATH_LEN)).intValue(); 1503 else 1504 return -1; 1505 } catch (Exception e) { 1506 return -1; 1507 } 1508 } 1509 1510 /** 1511 * Converts a GeneralNames structure into an immutable Collection of 1512 * alternative names (subject or issuer) in the form required by 1513 * {@link #getSubjectAlternativeNames} or 1514 * {@link #getIssuerAlternativeNames}. 1515 * 1516 * @param names the GeneralNames to be converted 1517 * @return an immutable Collection of alternative names 1518 */ 1519 private static Collection<List<?>> makeAltNames(GeneralNames names) { 1520 if (names.isEmpty()) { 1521 return Collections.<List<?>>emptySet(); 1522 } 1523 List<List<?>> newNames = new ArrayList<>(); 1524 for (GeneralName gname : names.names()) { 1525 GeneralNameInterface name = gname.getName(); 1526 List<Object> nameEntry = new ArrayList<>(2); 1527 nameEntry.add(Integer.valueOf(name.getType())); 1528 switch (name.getType()) { 1529 case GeneralNameInterface.NAME_RFC822: 1530 nameEntry.add(((RFC822Name) name).getName()); 1531 break; 1532 case GeneralNameInterface.NAME_DNS: 1533 nameEntry.add(((DNSName) name).getName()); 1534 break; 1535 case GeneralNameInterface.NAME_DIRECTORY: 1536 nameEntry.add(((X500Name) name).getRFC2253Name()); 1537 break; 1538 case GeneralNameInterface.NAME_URI: 1539 nameEntry.add(((URIName) name).getName()); 1540 break; 1541 case GeneralNameInterface.NAME_IP: 1542 try { 1543 nameEntry.add(((IPAddressName) name).getName()); 1544 } catch (IOException ioe) { 1545 // IPAddressName in cert is bogus 1546 throw new RuntimeException("IPAddress cannot be parsed", 1547 ioe); 1548 } 1549 break; 1550 case GeneralNameInterface.NAME_OID: 1551 nameEntry.add(((OIDName) name).getOID().toString()); 1552 break; 1553 default: 1554 // add DER encoded form 1555 DerOutputStream derOut = new DerOutputStream(); 1556 try { 1557 name.encode(derOut); 1558 } catch (IOException ioe) { 1559 // should not occur since name has already been decoded 1560 // from cert (this would indicate a bug in our code) 1561 throw new RuntimeException("name cannot be encoded", ioe); 1562 } 1563 nameEntry.add(derOut.toByteArray()); 1564 break; 1565 } 1566 newNames.add(Collections.unmodifiableList(nameEntry)); 1567 } 1568 return Collections.unmodifiableCollection(newNames); 1569 } 1570 1571 /** 1572 * Checks a Collection of altNames and clones any name entries of type 1573 * byte []. 1574 */ // only partially generified due to javac bug 1575 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) { 1576 boolean mustClone = false; 1577 for (List<?> nameEntry : altNames) { 1578 if (nameEntry.get(1) instanceof byte[]) { 1579 // must clone names 1580 mustClone = true; 1581 } 1582 } 1583 if (mustClone) { 1584 List<List<?>> namesCopy = new ArrayList<>(); 1585 for (List<?> nameEntry : altNames) { 1586 Object nameObject = nameEntry.get(1); 1587 if (nameObject instanceof byte[]) { 1588 List<Object> nameEntryCopy = 1589 new ArrayList<>(nameEntry); 1590 nameEntryCopy.set(1, ((byte[])nameObject).clone()); 1591 namesCopy.add(Collections.unmodifiableList(nameEntryCopy)); 1592 } else { 1593 namesCopy.add(nameEntry); 1594 } 1595 } 1596 return Collections.unmodifiableCollection(namesCopy); 1597 } else { 1598 return altNames; 1599 } 1600 } 1601 1602 /** 1603 * This method are the overridden implementation of 1604 * getSubjectAlternativeNames method in X509Certificate in the Sun 1605 * provider. It is better performance-wise since it returns cached 1606 * values. 1607 */ 1608 public synchronized Collection<List<?>> getSubjectAlternativeNames() 1609 throws CertificateParsingException { 1610 // return cached value if we can 1611 if (readOnly && subjectAlternativeNames != null) { 1612 return cloneAltNames(subjectAlternativeNames); 1613 } 1614 SubjectAlternativeNameExtension subjectAltNameExt = 1615 getSubjectAlternativeNameExtension(); 1616 if (subjectAltNameExt == null) { 1617 return null; 1618 } 1619 GeneralNames names; 1620 try { 1621 names = (GeneralNames) subjectAltNameExt.get( 1622 SubjectAlternativeNameExtension.SUBJECT_NAME); 1623 } catch (IOException ioe) { 1624 // should not occur 1625 return Collections.<List<?>>emptySet(); 1626 } 1627 subjectAlternativeNames = makeAltNames(names); 1628 return subjectAlternativeNames; 1629 } 1630 1631 /** 1632 * This static method is the default implementation of the 1633 * getSubjectAlternaitveNames method in X509Certificate. A 1634 * X509Certificate provider generally should overwrite this to 1635 * provide among other things caching for better performance. 1636 */ 1637 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert) 1638 throws CertificateParsingException { 1639 try { 1640 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID); 1641 if (ext == null) { 1642 return null; 1643 } 1644 DerValue val = new DerValue(ext); 1645 byte[] data = val.getOctetString(); 1646 1647 SubjectAlternativeNameExtension subjectAltNameExt = 1648 new SubjectAlternativeNameExtension(Boolean.FALSE, 1649 data); 1650 1651 GeneralNames names; 1652 try { 1653 names = (GeneralNames) subjectAltNameExt.get( 1654 SubjectAlternativeNameExtension.SUBJECT_NAME); 1655 } catch (IOException ioe) { 1656 // should not occur 1657 return Collections.<List<?>>emptySet(); 1658 } 1659 return makeAltNames(names); 1660 } catch (IOException ioe) { 1661 throw new CertificateParsingException(ioe); 1662 } 1663 } 1664 1665 /** 1666 * This method are the overridden implementation of 1667 * getIssuerAlternativeNames method in X509Certificate in the Sun 1668 * provider. It is better performance-wise since it returns cached 1669 * values. 1670 */ 1671 public synchronized Collection<List<?>> getIssuerAlternativeNames() 1672 throws CertificateParsingException { 1673 // return cached value if we can 1674 if (readOnly && issuerAlternativeNames != null) { 1675 return cloneAltNames(issuerAlternativeNames); 1676 } 1677 IssuerAlternativeNameExtension issuerAltNameExt = 1678 getIssuerAlternativeNameExtension(); 1679 if (issuerAltNameExt == null) { 1680 return null; 1681 } 1682 GeneralNames names; 1683 try { 1684 names = (GeneralNames) issuerAltNameExt.get( 1685 IssuerAlternativeNameExtension.ISSUER_NAME); 1686 } catch (IOException ioe) { 1687 // should not occur 1688 return Collections.<List<?>>emptySet(); 1689 } 1690 issuerAlternativeNames = makeAltNames(names); 1691 return issuerAlternativeNames; 1692 } 1693 1694 /** 1695 * This static method is the default implementation of the 1696 * getIssuerAlternaitveNames method in X509Certificate. A 1697 * X509Certificate provider generally should overwrite this to 1698 * provide among other things caching for better performance. 1699 */ 1700 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert) 1701 throws CertificateParsingException { 1702 try { 1703 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID); 1704 if (ext == null) { 1705 return null; 1706 } 1707 1708 DerValue val = new DerValue(ext); 1709 byte[] data = val.getOctetString(); 1710 1711 IssuerAlternativeNameExtension issuerAltNameExt = 1712 new IssuerAlternativeNameExtension(Boolean.FALSE, 1713 data); 1714 GeneralNames names; 1715 try { 1716 names = (GeneralNames) issuerAltNameExt.get( 1717 IssuerAlternativeNameExtension.ISSUER_NAME); 1718 } catch (IOException ioe) { 1719 // should not occur 1720 return Collections.<List<?>>emptySet(); 1721 } 1722 return makeAltNames(names); 1723 } catch (IOException ioe) { 1724 throw new CertificateParsingException(ioe); 1725 } 1726 } 1727 1728 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() { 1729 return (AuthorityInfoAccessExtension) 1730 getExtension(PKIXExtensions.AuthInfoAccess_Id); 1731 } 1732 1733 /************************************************************/ 1734 1735 /* 1736 * Cert is a SIGNED ASN.1 macro, a three elment sequence: 1737 * 1738 * - Data to be signed (ToBeSigned) -- the "raw" cert 1739 * - Signature algorithm (SigAlgId) 1740 * - The signature bits 1741 * 1742 * This routine unmarshals the certificate, saving the signature 1743 * parts away for later verification. 1744 */ 1745 private void parse(DerValue val) 1746 throws CertificateException, IOException { 1747 // check if can over write the certificate 1748 if (readOnly) 1749 throw new CertificateParsingException( 1750 "cannot over-write existing certificate"); 1751 1752 if (val.data == null || val.tag != DerValue.tag_Sequence) 1753 throw new CertificateParsingException( 1754 "invalid DER-encoded certificate data"); 1755 1756 signedCert = val.toByteArray(); 1757 DerValue[] seq = new DerValue[3]; 1758 1759 seq[0] = val.data.getDerValue(); 1760 seq[1] = val.data.getDerValue(); 1761 seq[2] = val.data.getDerValue(); 1762 1763 if (val.data.available() != 0) { 1764 throw new CertificateParsingException("signed overrun, bytes = " 1765 + val.data.available()); 1766 } 1767 if (seq[0].tag != DerValue.tag_Sequence) { 1768 throw new CertificateParsingException("signed fields invalid"); 1769 } 1770 1771 algId = AlgorithmId.parse(seq[1]); 1772 signature = seq[2].getBitString(); 1773 1774 if (seq[1].data.available() != 0) { 1775 throw new CertificateParsingException("algid field overrun"); 1776 } 1777 if (seq[2].data.available() != 0) 1778 throw new CertificateParsingException("signed fields overrun"); 1779 1780 // The CertificateInfo 1781 info = new X509CertInfo(seq[0]); 1782 1783 // the "inner" and "outer" signature algorithms must match 1784 AlgorithmId infoSigAlg = (AlgorithmId)info.get( 1785 CertificateAlgorithmId.NAME 1786 + DOT + 1787 CertificateAlgorithmId.ALGORITHM); 1788 if (! algId.equals(infoSigAlg)) 1789 throw new CertificateException("Signature algorithm mismatch"); 1790 readOnly = true; 1791 } 1792 1793 /** 1794 * Extract the subject or issuer X500Principal from an X509Certificate. 1795 * Parses the encoded form of the cert to preserve the principal's 1796 * ASN.1 encoding. 1797 */ 1798 private static X500Principal getX500Principal(X509Certificate cert, 1799 boolean getIssuer) throws Exception { 1800 byte[] encoded = cert.getEncoded(); 1801 DerInputStream derIn = new DerInputStream(encoded); 1802 DerValue tbsCert = derIn.getSequence(3)[0]; 1803 DerInputStream tbsIn = tbsCert.data; 1804 DerValue tmp; 1805 tmp = tbsIn.getDerValue(); 1806 // skip version number if present 1807 if (tmp.isContextSpecific((byte)0)) { 1808 tmp = tbsIn.getDerValue(); 1809 } 1810 // tmp always contains serial number now 1811 tmp = tbsIn.getDerValue(); // skip signature 1812 tmp = tbsIn.getDerValue(); // issuer 1813 if (getIssuer == false) { 1814 tmp = tbsIn.getDerValue(); // skip validity 1815 tmp = tbsIn.getDerValue(); // subject 1816 } 1817 byte[] principalBytes = tmp.toByteArray(); 1818 return new X500Principal(principalBytes); 1819 } 1820 1821 /** 1822 * Extract the subject X500Principal from an X509Certificate. 1823 * Called from java.security.cert.X509Certificate.getSubjectX500Principal(). 1824 */ 1825 public static X500Principal getSubjectX500Principal(X509Certificate cert) { 1826 try { 1827 return getX500Principal(cert, false); 1828 } catch (Exception e) { 1829 throw new RuntimeException("Could not parse subject", e); 1830 } 1831 } 1832 1833 /** 1834 * Extract the issuer X500Principal from an X509Certificate. 1835 * Called from java.security.cert.X509Certificate.getIssuerX500Principal(). 1836 */ 1837 public static X500Principal getIssuerX500Principal(X509Certificate cert) { 1838 try { 1839 return getX500Principal(cert, true); 1840 } catch (Exception e) { 1841 throw new RuntimeException("Could not parse issuer", e); 1842 } 1843 } 1844 1845 /** 1846 * Returned the encoding of the given certificate for internal use. 1847 * Callers must guarantee that they neither modify it nor expose it 1848 * to untrusted code. Uses getEncodedInternal() if the certificate 1849 * is instance of X509CertImpl, getEncoded() otherwise. 1850 */ 1851 public static byte[] getEncodedInternal(Certificate cert) 1852 throws CertificateEncodingException { 1853 if (cert instanceof X509CertImpl) { 1854 return ((X509CertImpl)cert).getEncodedInternal(); 1855 } else { 1856 return cert.getEncoded(); 1857 } 1858 } 1859 1860 /** 1861 * Utility method to convert an arbitrary instance of X509Certificate 1862 * to a X509CertImpl. Does a cast if possible, otherwise reparses 1863 * the encoding. 1864 */ 1865 public static X509CertImpl toImpl(X509Certificate cert) 1866 throws CertificateException { 1867 if (cert instanceof X509CertImpl) { 1868 return (X509CertImpl)cert; 1869 } else { 1870 return X509Factory.intern(cert); 1871 } 1872 } 1873 1874 /** 1875 * Utility method to test if a certificate is self-issued. This is 1876 * the case iff the subject and issuer X500Principals are equal. 1877 */ 1878 public static boolean isSelfIssued(X509Certificate cert) { 1879 X500Principal subject = cert.getSubjectX500Principal(); 1880 X500Principal issuer = cert.getIssuerX500Principal(); 1881 return subject.equals(issuer); 1882 } 1883 1884 /** 1885 * Utility method to test if a certificate is self-signed. This is 1886 * the case iff the subject and issuer X500Principals are equal 1887 * AND the certificate's subject public key can be used to verify 1888 * the certificate. In case of exception, returns false. 1889 */ 1890 public static boolean isSelfSigned(X509Certificate cert, 1891 String sigProvider) { 1892 if (isSelfIssued(cert)) { 1893 try { 1894 if (sigProvider == null) { 1895 cert.verify(cert.getPublicKey()); 1896 } else { 1897 cert.verify(cert.getPublicKey(), sigProvider); 1898 } 1899 return true; 1900 } catch (Exception e) { 1901 // In case of exception, return false 1902 } 1903 } 1904 return false; 1905 } 1906 }