1 /*
   2  * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.io.IOException;
  29 import java.math.BigInteger;
  30 import java.security.PublicKey;
  31 import java.util.*;
  32 import javax.security.auth.x500.X500Principal;
  33 
  34 import sun.misc.HexDumpEncoder;
  35 import sun.security.util.Debug;
  36 import sun.security.util.DerInputStream;
  37 import sun.security.util.DerValue;
  38 import sun.security.util.ObjectIdentifier;
  39 import sun.security.x509.*;
  40 
  41 /**
  42  * A {@code CertSelector} that selects {@code X509Certificates} that
  43  * match all specified criteria. This class is particularly useful when
  44  * selecting certificates from a {@code CertStore} to build a
  45  * PKIX-compliant certification path.
  46  * <p>
  47  * When first constructed, an {@code X509CertSelector} has no criteria
  48  * enabled and each of the {@code get} methods return a default value
  49  * ({@code null}, or {@code -1} for the {@link #getBasicConstraints
  50  * getBasicConstraints} method). Therefore, the {@link #match match}
  51  * method would return {@code true} for any {@code X509Certificate}.
  52  * Typically, several criteria are enabled (by calling
  53  * {@link #setIssuer setIssuer} or
  54  * {@link #setKeyUsage setKeyUsage}, for instance) and then the
  55  * {@code X509CertSelector} is passed to
  56  * {@link CertStore#getCertificates CertStore.getCertificates} or some similar
  57  * method.
  58  * <p>
  59  * Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
  60  * and {@link #setSerialNumber setSerialNumber},
  61  * for example) such that the {@code match} method
  62  * usually uniquely matches a single {@code X509Certificate}. We say
  63  * usually, since it is possible for two issuing CAs to have the same
  64  * distinguished name and each issue a certificate with the same serial
  65  * number. Other unique combinations include the issuer, subject,
  66  * subjectKeyIdentifier and/or the subjectPublicKey criteria.
  67  * <p>
  68  * Please refer to <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280:
  69  * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> for
  70  * definitions of the X.509 certificate extensions mentioned below.
  71  * <p>
  72  * <b>Concurrent Access</b>
  73  * <p>
  74  * Unless otherwise specified, the methods defined in this class are not
  75  * thread-safe. Multiple threads that need to access a single
  76  * object concurrently should synchronize amongst themselves and
  77  * provide the necessary locking. Multiple threads each manipulating
  78  * separate objects need not synchronize.
  79  *
  80  * @see CertSelector
  81  * @see X509Certificate
  82  *
  83  * @since       1.4
  84  * @author      Steve Hanna
  85  */
  86 public class X509CertSelector implements CertSelector {
  87 
  88     private static final Debug debug = Debug.getInstance("certpath");
  89 
  90     private final static ObjectIdentifier ANY_EXTENDED_KEY_USAGE =
  91         ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0});
  92 
  93     static {
  94         CertPathHelperImpl.initialize();
  95     }
  96 
  97     private BigInteger serialNumber;
  98     private X500Principal issuer;
  99     private X500Principal subject;
 100     private byte[] subjectKeyID;
 101     private byte[] authorityKeyID;
 102     private Date certificateValid;
 103     private Date privateKeyValid;
 104     private ObjectIdentifier subjectPublicKeyAlgID;
 105     private PublicKey subjectPublicKey;
 106     private byte[] subjectPublicKeyBytes;
 107     private boolean[] keyUsage;
 108     private Set<String> keyPurposeSet;
 109     private Set<ObjectIdentifier> keyPurposeOIDSet;
 110     private Set<List<?>> subjectAlternativeNames;
 111     private Set<GeneralNameInterface> subjectAlternativeGeneralNames;
 112     private CertificatePolicySet policy;
 113     private Set<String> policySet;
 114     private Set<List<?>> pathToNames;
 115     private Set<GeneralNameInterface> pathToGeneralNames;
 116     private NameConstraintsExtension nc;
 117     private byte[] ncBytes;
 118     private int basicConstraints = -1;
 119     private X509Certificate x509Cert;
 120     private boolean matchAllSubjectAltNames = true;
 121 
 122     private static final Boolean FALSE = Boolean.FALSE;
 123 
 124     private static final int PRIVATE_KEY_USAGE_ID = 0;
 125     private static final int SUBJECT_ALT_NAME_ID = 1;
 126     private static final int NAME_CONSTRAINTS_ID = 2;
 127     private static final int CERT_POLICIES_ID = 3;
 128     private static final int EXTENDED_KEY_USAGE_ID = 4;
 129     private static final int NUM_OF_EXTENSIONS = 5;
 130     private static final String[] EXTENSION_OIDS = new String[NUM_OF_EXTENSIONS];
 131 
 132     static {
 133         EXTENSION_OIDS[PRIVATE_KEY_USAGE_ID]  = "2.5.29.16";
 134         EXTENSION_OIDS[SUBJECT_ALT_NAME_ID]   = "2.5.29.17";
 135         EXTENSION_OIDS[NAME_CONSTRAINTS_ID]   = "2.5.29.30";
 136         EXTENSION_OIDS[CERT_POLICIES_ID]      = "2.5.29.32";
 137         EXTENSION_OIDS[EXTENDED_KEY_USAGE_ID] = "2.5.29.37";
 138     };
 139 
 140     /* Constants representing the GeneralName types */
 141     static final int NAME_ANY = 0;
 142     static final int NAME_RFC822 = 1;
 143     static final int NAME_DNS = 2;
 144     static final int NAME_X400 = 3;
 145     static final int NAME_DIRECTORY = 4;
 146     static final int NAME_EDI = 5;
 147     static final int NAME_URI = 6;
 148     static final int NAME_IP = 7;
 149     static final int NAME_OID = 8;
 150 
 151     /**
 152      * Creates an {@code X509CertSelector}. Initially, no criteria are set
 153      * so any {@code X509Certificate} will match.
 154      */
 155     public X509CertSelector() {
 156         // empty
 157     }
 158 
 159     /**
 160      * Sets the certificateEquals criterion. The specified
 161      * {@code X509Certificate} must be equal to the
 162      * {@code X509Certificate} passed to the {@code match} method.
 163      * If {@code null}, then this check is not applied.
 164      *
 165      * <p>This method is particularly useful when it is necessary to
 166      * match a single certificate. Although other criteria can be specified
 167      * in conjunction with the certificateEquals criterion, it is usually not
 168      * practical or necessary.
 169      *
 170      * @param cert the {@code X509Certificate} to match (or
 171      * {@code null})
 172      * @see #getCertificate
 173      */
 174     public void setCertificate(X509Certificate cert) {
 175         x509Cert = cert;
 176     }
 177 
 178     /**
 179      * Sets the serialNumber criterion. The specified serial number
 180      * must match the certificate serial number in the
 181      * {@code X509Certificate}. If {@code null}, any certificate
 182      * serial number will do.
 183      *
 184      * @param serial the certificate serial number to match
 185      *        (or {@code null})
 186      * @see #getSerialNumber
 187      */
 188     public void setSerialNumber(BigInteger serial) {
 189         serialNumber = serial;
 190     }
 191 
 192     /**
 193      * Sets the issuer criterion. The specified distinguished name
 194      * must match the issuer distinguished name in the
 195      * {@code X509Certificate}. If {@code null}, any issuer
 196      * distinguished name will do.
 197      *
 198      * @param issuer a distinguished name as X500Principal
 199      *                 (or {@code null})
 200      * @since 1.5
 201      */
 202     public void setIssuer(X500Principal issuer) {
 203         this.issuer = issuer;
 204     }
 205 
 206     /**
 207      * <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
 208      * or {@linkplain #setIssuer(byte[])} instead. This method should not be
 209      * relied on as it can fail to match some certificates because of a loss of
 210      * encoding information in the
 211      * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
 212      * of some distinguished names.
 213      * <p>
 214      * Sets the issuer criterion. The specified distinguished name
 215      * must match the issuer distinguished name in the
 216      * {@code X509Certificate}. If {@code null}, any issuer
 217      * distinguished name will do.
 218      * <p>
 219      * If {@code issuerDN} is not {@code null}, it should contain a
 220      * distinguished name, in RFC 2253 format.
 221      *
 222      * @param issuerDN a distinguished name in RFC 2253 format
 223      *                 (or {@code null})
 224      * @throws IOException if a parsing error occurs (incorrect form for DN)
 225      */
 226     public void setIssuer(String issuerDN) throws IOException {
 227         if (issuerDN == null) {
 228             issuer = null;
 229         } else {
 230             issuer = new X500Name(issuerDN).asX500Principal();
 231         }
 232     }
 233 
 234     /**
 235      * Sets the issuer criterion. The specified distinguished name
 236      * must match the issuer distinguished name in the
 237      * {@code X509Certificate}. If {@code null} is specified,
 238      * the issuer criterion is disabled and any issuer distinguished name will
 239      * do.
 240      * <p>
 241      * If {@code issuerDN} is not {@code null}, it should contain a
 242      * single DER encoded distinguished name, as defined in X.501. The ASN.1
 243      * notation for this structure is as follows.
 244      * <pre>{@code
 245      * Name ::= CHOICE {
 246      *   RDNSequence }
 247      *
 248      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 249      *
 250      * RelativeDistinguishedName ::=
 251      *   SET SIZE (1 .. MAX) OF AttributeTypeAndValue
 252      *
 253      * AttributeTypeAndValue ::= SEQUENCE {
 254      *   type     AttributeType,
 255      *   value    AttributeValue }
 256      *
 257      * AttributeType ::= OBJECT IDENTIFIER
 258      *
 259      * AttributeValue ::= ANY DEFINED BY AttributeType
 260      * ....
 261      * DirectoryString ::= CHOICE {
 262      *       teletexString           TeletexString (SIZE (1..MAX)),
 263      *       printableString         PrintableString (SIZE (1..MAX)),
 264      *       universalString         UniversalString (SIZE (1..MAX)),
 265      *       utf8String              UTF8String (SIZE (1.. MAX)),
 266      *       bmpString               BMPString (SIZE (1..MAX)) }
 267      * }</pre>
 268      * <p>
 269      * Note that the byte array specified here is cloned to protect against
 270      * subsequent modifications.
 271      *
 272      * @param issuerDN a byte array containing the distinguished name
 273      *                 in ASN.1 DER encoded form (or {@code null})
 274      * @throws IOException if an encoding error occurs (incorrect form for DN)
 275      */
 276     public void setIssuer(byte[] issuerDN) throws IOException {
 277         try {
 278             issuer = (issuerDN == null ? null : new X500Principal(issuerDN));
 279         } catch (IllegalArgumentException e) {
 280             throw new IOException("Invalid name", e);
 281         }
 282     }
 283 
 284     /**
 285      * Sets the subject criterion. The specified distinguished name
 286      * must match the subject distinguished name in the
 287      * {@code X509Certificate}. If {@code null}, any subject
 288      * distinguished name will do.
 289      *
 290      * @param subject a distinguished name as X500Principal
 291      *                  (or {@code null})
 292      * @since 1.5
 293      */
 294     public void setSubject(X500Principal subject) {
 295         this.subject = subject;
 296     }
 297 
 298     /**
 299      * <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
 300      * or {@linkplain #setSubject(byte[])} instead. This method should not be
 301      * relied on as it can fail to match some certificates because of a loss of
 302      * encoding information in the RFC 2253 String form of some distinguished
 303      * names.
 304      * <p>
 305      * Sets the subject criterion. The specified distinguished name
 306      * must match the subject distinguished name in the
 307      * {@code X509Certificate}. If {@code null}, any subject
 308      * distinguished name will do.
 309      * <p>
 310      * If {@code subjectDN} is not {@code null}, it should contain a
 311      * distinguished name, in RFC 2253 format.
 312      *
 313      * @param subjectDN a distinguished name in RFC 2253 format
 314      *                  (or {@code null})
 315      * @throws IOException if a parsing error occurs (incorrect form for DN)
 316      */
 317     public void setSubject(String subjectDN) throws IOException {
 318         if (subjectDN == null) {
 319             subject = null;
 320         } else {
 321             subject = new X500Name(subjectDN).asX500Principal();
 322         }
 323     }
 324 
 325     /**
 326      * Sets the subject criterion. The specified distinguished name
 327      * must match the subject distinguished name in the
 328      * {@code X509Certificate}. If {@code null}, any subject
 329      * distinguished name will do.
 330      * <p>
 331      * If {@code subjectDN} is not {@code null}, it should contain a
 332      * single DER encoded distinguished name, as defined in X.501. For the ASN.1
 333      * notation for this structure, see
 334      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
 335      *
 336      * @param subjectDN a byte array containing the distinguished name in
 337      *                  ASN.1 DER format (or {@code null})
 338      * @throws IOException if an encoding error occurs (incorrect form for DN)
 339      */
 340     public void setSubject(byte[] subjectDN) throws IOException {
 341         try {
 342             subject = (subjectDN == null ? null : new X500Principal(subjectDN));
 343         } catch (IllegalArgumentException e) {
 344             throw new IOException("Invalid name", e);
 345         }
 346     }
 347 
 348     /**
 349      * Sets the subjectKeyIdentifier criterion. The
 350      * {@code X509Certificate} must contain a SubjectKeyIdentifier
 351      * extension for which the contents of the extension
 352      * matches the specified criterion value.
 353      * If the criterion value is {@code null}, no
 354      * subjectKeyIdentifier check will be done.
 355      * <p>
 356      * If {@code subjectKeyID} is not {@code null}, it
 357      * should contain a single DER encoded value corresponding to the contents
 358      * of the extension value (not including the object identifier,
 359      * criticality setting, and encapsulating OCTET STRING)
 360      * for a SubjectKeyIdentifier extension.
 361      * The ASN.1 notation for this structure follows.
 362      *
 363      * <pre>{@code
 364      * SubjectKeyIdentifier ::= KeyIdentifier
 365      *
 366      * KeyIdentifier ::= OCTET STRING
 367      * }</pre>
 368      * <p>
 369      * Since the format of subject key identifiers is not mandated by
 370      * any standard, subject key identifiers are not parsed by the
 371      * {@code X509CertSelector}. Instead, the values are compared using
 372      * a byte-by-byte comparison.
 373      * <p>
 374      * Note that the byte array supplied here is cloned to protect against
 375      * subsequent modifications.
 376      *
 377      * @param subjectKeyID the subject key identifier (or {@code null})
 378      * @see #getSubjectKeyIdentifier
 379      */
 380     public void setSubjectKeyIdentifier(byte[] subjectKeyID) {
 381         if (subjectKeyID == null) {
 382             this.subjectKeyID = null;
 383         } else {
 384             this.subjectKeyID = subjectKeyID.clone();
 385         }
 386     }
 387 
 388     /**
 389      * Sets the authorityKeyIdentifier criterion. The
 390      * {@code X509Certificate} must contain an
 391      * AuthorityKeyIdentifier extension for which the contents of the
 392      * extension value matches the specified criterion value.
 393      * If the criterion value is {@code null}, no
 394      * authorityKeyIdentifier check will be done.
 395      * <p>
 396      * If {@code authorityKeyID} is not {@code null}, it
 397      * should contain a single DER encoded value corresponding to the contents
 398      * of the extension value (not including the object identifier,
 399      * criticality setting, and encapsulating OCTET STRING)
 400      * for an AuthorityKeyIdentifier extension.
 401      * The ASN.1 notation for this structure follows.
 402      *
 403      * <pre>{@code
 404      * AuthorityKeyIdentifier ::= SEQUENCE {
 405      *    keyIdentifier             [0] KeyIdentifier           OPTIONAL,
 406      *    authorityCertIssuer       [1] GeneralNames            OPTIONAL,
 407      *    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
 408      *
 409      * KeyIdentifier ::= OCTET STRING
 410      * }</pre>
 411      * <p>
 412      * Authority key identifiers are not parsed by the
 413      * {@code X509CertSelector}.  Instead, the values are
 414      * compared using a byte-by-byte comparison.
 415      * <p>
 416      * When the {@code keyIdentifier} field of
 417      * {@code AuthorityKeyIdentifier} is populated, the value is
 418      * usually taken from the {@code SubjectKeyIdentifier} extension
 419      * in the issuer's certificate.  Note, however, that the result of
 420      * {@code X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object
 421      * Identifier>)} on the issuer's certificate may NOT be used
 422      * directly as the input to {@code setAuthorityKeyIdentifier}.
 423      * This is because the SubjectKeyIdentifier contains
 424      * only a KeyIdentifier OCTET STRING, and not a SEQUENCE of
 425      * KeyIdentifier, GeneralNames, and CertificateSerialNumber.
 426      * In order to use the extension value of the issuer certificate's
 427      * {@code SubjectKeyIdentifier}
 428      * extension, it will be necessary to extract the value of the embedded
 429      * {@code KeyIdentifier} OCTET STRING, then DER encode this OCTET
 430      * STRING inside a SEQUENCE.
 431      * For more details on SubjectKeyIdentifier, see
 432      * {@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}.
 433      * <p>
 434      * Note also that the byte array supplied here is cloned to protect against
 435      * subsequent modifications.
 436      *
 437      * @param authorityKeyID the authority key identifier
 438      *        (or {@code null})
 439      * @see #getAuthorityKeyIdentifier
 440      */
 441     public void setAuthorityKeyIdentifier(byte[] authorityKeyID) {
 442         if (authorityKeyID == null) {
 443             this.authorityKeyID = null;
 444         } else {
 445             this.authorityKeyID = authorityKeyID.clone();
 446         }
 447     }
 448 
 449     /**
 450      * Sets the certificateValid criterion. The specified date must fall
 451      * within the certificate validity period for the
 452      * {@code X509Certificate}. If {@code null}, no certificateValid
 453      * check will be done.
 454      * <p>
 455      * Note that the {@code Date} supplied here is cloned to protect
 456      * against subsequent modifications.
 457      *
 458      * @param certValid the {@code Date} to check (or {@code null})
 459      * @see #getCertificateValid
 460      */
 461     public void setCertificateValid(Date certValid) {
 462         if (certValid == null) {
 463             certificateValid = null;
 464         } else {
 465             certificateValid = (Date)certValid.clone();
 466         }
 467     }
 468 
 469     /**
 470      * Sets the privateKeyValid criterion. The specified date must fall
 471      * within the private key validity period for the
 472      * {@code X509Certificate}. If {@code null}, no privateKeyValid
 473      * check will be done.
 474      * <p>
 475      * Note that the {@code Date} supplied here is cloned to protect
 476      * against subsequent modifications.
 477      *
 478      * @param privateKeyValid the {@code Date} to check (or
 479      *                        {@code null})
 480      * @see #getPrivateKeyValid
 481      */
 482     public void setPrivateKeyValid(Date privateKeyValid) {
 483         if (privateKeyValid == null) {
 484             this.privateKeyValid = null;
 485         } else {
 486             this.privateKeyValid = (Date)privateKeyValid.clone();
 487         }
 488     }
 489 
 490     /**
 491      * Sets the subjectPublicKeyAlgID criterion. The
 492      * {@code X509Certificate} must contain a subject public key
 493      * with the specified algorithm. If {@code null}, no
 494      * subjectPublicKeyAlgID check will be done.
 495      *
 496      * @param oid The object identifier (OID) of the algorithm to check
 497      *            for (or {@code null}). An OID is represented by a
 498      *            set of nonnegative integers separated by periods.
 499      * @throws IOException if the OID is invalid, such as
 500      * the first component being not 0, 1 or 2 or the second component
 501      * being greater than 39.
 502      *
 503      * @see #getSubjectPublicKeyAlgID
 504      */
 505     public void setSubjectPublicKeyAlgID(String oid) throws IOException {
 506         if (oid == null) {
 507             subjectPublicKeyAlgID = null;
 508         } else {
 509             subjectPublicKeyAlgID = new ObjectIdentifier(oid);
 510         }
 511     }
 512 
 513     /**
 514      * Sets the subjectPublicKey criterion. The
 515      * {@code X509Certificate} must contain the specified subject public
 516      * key. If {@code null}, no subjectPublicKey check will be done.
 517      *
 518      * @param key the subject public key to check for (or {@code null})
 519      * @see #getSubjectPublicKey
 520      */
 521     public void setSubjectPublicKey(PublicKey key) {
 522         if (key == null) {
 523             subjectPublicKey = null;
 524             subjectPublicKeyBytes = null;
 525         } else {
 526             subjectPublicKey = key;
 527             subjectPublicKeyBytes = key.getEncoded();
 528         }
 529     }
 530 
 531     /**
 532      * Sets the subjectPublicKey criterion. The {@code X509Certificate}
 533      * must contain the specified subject public key. If {@code null},
 534      * no subjectPublicKey check will be done.
 535      * <p>
 536      * Because this method allows the public key to be specified as a byte
 537      * array, it may be used for unknown key types.
 538      * <p>
 539      * If {@code key} is not {@code null}, it should contain a
 540      * single DER encoded SubjectPublicKeyInfo structure, as defined in X.509.
 541      * The ASN.1 notation for this structure is as follows.
 542      * <pre>{@code
 543      * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 544      *   algorithm            AlgorithmIdentifier,
 545      *   subjectPublicKey     BIT STRING  }
 546      *
 547      * AlgorithmIdentifier  ::=  SEQUENCE  {
 548      *   algorithm               OBJECT IDENTIFIER,
 549      *   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 550      *                              -- contains a value of the type
 551      *                              -- registered for use with the
 552      *                              -- algorithm object identifier value
 553      * }</pre>
 554      * <p>
 555      * Note that the byte array supplied here is cloned to protect against
 556      * subsequent modifications.
 557      *
 558      * @param key a byte array containing the subject public key in ASN.1 DER
 559      *            form (or {@code null})
 560      * @throws IOException if an encoding error occurs (incorrect form for
 561      * subject public key)
 562      * @see #getSubjectPublicKey
 563      */
 564     public void setSubjectPublicKey(byte[] key) throws IOException {
 565         if (key == null) {
 566             subjectPublicKey = null;
 567             subjectPublicKeyBytes = null;
 568         } else {
 569             subjectPublicKeyBytes = key.clone();
 570             subjectPublicKey = X509Key.parse(new DerValue(subjectPublicKeyBytes));
 571         }
 572     }
 573 
 574     /**
 575      * Sets the keyUsage criterion. The {@code X509Certificate}
 576      * must allow the specified keyUsage values. If {@code null}, no
 577      * keyUsage check will be done. Note that an {@code X509Certificate}
 578      * that has no keyUsage extension implicitly allows all keyUsage values.
 579      * <p>
 580      * Note that the boolean array supplied here is cloned to protect against
 581      * subsequent modifications.
 582      *
 583      * @param keyUsage a boolean array in the same format as the boolean
 584      *                 array returned by
 585      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
 586      *                 Or {@code null}.
 587      * @see #getKeyUsage
 588      */
 589     public void setKeyUsage(boolean[] keyUsage) {
 590         if (keyUsage == null) {
 591             this.keyUsage = null;
 592         } else {
 593             this.keyUsage = keyUsage.clone();
 594         }
 595     }
 596 
 597     /**
 598      * Sets the extendedKeyUsage criterion. The {@code X509Certificate}
 599      * must allow the specified key purposes in its extended key usage
 600      * extension. If {@code keyPurposeSet} is empty or {@code null},
 601      * no extendedKeyUsage check will be done. Note that an
 602      * {@code X509Certificate} that has no extendedKeyUsage extension
 603      * implicitly allows all key purposes.
 604      * <p>
 605      * Note that the {@code Set} is cloned to protect against
 606      * subsequent modifications.
 607      *
 608      * @param keyPurposeSet a {@code Set} of key purpose OIDs in string
 609      * format (or {@code null}). Each OID is represented by a set of
 610      * nonnegative integers separated by periods.
 611      * @throws IOException if the OID is invalid, such as
 612      * the first component being not 0, 1 or 2 or the second component
 613      * being greater than 39.
 614      * @see #getExtendedKeyUsage
 615      */
 616     public void setExtendedKeyUsage(Set<String> keyPurposeSet) throws IOException {
 617         if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
 618             this.keyPurposeSet = null;
 619             keyPurposeOIDSet = null;
 620         } else {
 621             this.keyPurposeSet =
 622                 Collections.unmodifiableSet(new HashSet<String>(keyPurposeSet));
 623             keyPurposeOIDSet = new HashSet<ObjectIdentifier>();
 624             for (String s : this.keyPurposeSet) {
 625                 keyPurposeOIDSet.add(new ObjectIdentifier(s));
 626             }
 627         }
 628     }
 629 
 630     /**
 631      * Enables/disables matching all of the subjectAlternativeNames
 632      * specified in the {@link #setSubjectAlternativeNames
 633      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
 634      * addSubjectAlternativeName} methods. If enabled,
 635      * the {@code X509Certificate} must contain all of the
 636      * specified subject alternative names. If disabled, the
 637      * {@code X509Certificate} must contain at least one of the
 638      * specified subject alternative names.
 639      *
 640      * <p>The matchAllNames flag is {@code true} by default.
 641      *
 642      * @param matchAllNames if {@code true}, the flag is enabled;
 643      * if {@code false}, the flag is disabled.
 644      * @see #getMatchAllSubjectAltNames
 645      */
 646     public void setMatchAllSubjectAltNames(boolean matchAllNames) {
 647         this.matchAllSubjectAltNames = matchAllNames;
 648     }
 649 
 650     /**
 651      * Sets the subjectAlternativeNames criterion. The
 652      * {@code X509Certificate} must contain all or at least one of the
 653      * specified subjectAlternativeNames, depending on the value of
 654      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 655      * setMatchAllSubjectAltNames}).
 656      * <p>
 657      * This method allows the caller to specify, with a single method call,
 658      * the complete set of subject alternative names for the
 659      * subjectAlternativeNames criterion. The specified value replaces
 660      * the previous value for the subjectAlternativeNames criterion.
 661      * <p>
 662      * The {@code names} parameter (if not {@code null}) is a
 663      * {@code Collection} with one
 664      * entry for each name to be included in the subject alternative name
 665      * criterion. Each entry is a {@code List} whose first entry is an
 666      * {@code Integer} (the name type, 0-8) and whose second
 667      * entry is a {@code String} or a byte array (the name, in
 668      * string or ASN.1 DER encoded form, respectively).
 669      * There can be multiple names of the same type. If {@code null}
 670      * is supplied as the value for this argument, no
 671      * subjectAlternativeNames check will be performed.
 672      * <p>
 673      * Each subject alternative name in the {@code Collection}
 674      * may be specified either as a {@code String} or as an ASN.1 encoded
 675      * byte array. For more details about the formats used, see
 676      * {@link #addSubjectAlternativeName(int type, String name)
 677      * addSubjectAlternativeName(int type, String name)} and
 678      * {@link #addSubjectAlternativeName(int type, byte [] name)
 679      * addSubjectAlternativeName(int type, byte [] name)}.
 680      * <p>
 681      * <strong>Note:</strong> for distinguished names, specify the byte
 682      * array form instead of the String form. See the note in
 683      * {@link #addSubjectAlternativeName(int, String)} for more information.
 684      * <p>
 685      * Note that the {@code names} parameter can contain duplicate
 686      * names (same name and name type), but they may be removed from the
 687      * {@code Collection} of names returned by the
 688      * {@link #getSubjectAlternativeNames getSubjectAlternativeNames} method.
 689      * <p>
 690      * Note that a deep copy is performed on the {@code Collection} to
 691      * protect against subsequent modifications.
 692      *
 693      * @param names a {@code Collection} of names (or {@code null})
 694      * @throws IOException if a parsing error occurs
 695      * @see #getSubjectAlternativeNames
 696      */
 697     public void setSubjectAlternativeNames(Collection<List<?>> names)
 698             throws IOException {
 699         if (names == null) {
 700             subjectAlternativeNames = null;
 701             subjectAlternativeGeneralNames = null;
 702         } else {
 703             if (names.isEmpty()) {
 704                 subjectAlternativeNames = null;
 705                 subjectAlternativeGeneralNames = null;
 706                 return;
 707             }
 708             Set<List<?>> tempNames = cloneAndCheckNames(names);
 709             // Ensure that we either set both of these or neither
 710             subjectAlternativeGeneralNames = parseNames(tempNames);
 711             subjectAlternativeNames = tempNames;
 712         }
 713     }
 714 
 715     /**
 716      * Adds a name to the subjectAlternativeNames criterion. The
 717      * {@code X509Certificate} must contain all or at least one
 718      * of the specified subjectAlternativeNames, depending on the value of
 719      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 720      * setMatchAllSubjectAltNames}).
 721      * <p>
 722      * This method allows the caller to add a name to the set of subject
 723      * alternative names.
 724      * The specified name is added to any previous value for the
 725      * subjectAlternativeNames criterion. If the specified name is a
 726      * duplicate, it may be ignored.
 727      * <p>
 728      * The name is provided in string format.
 729      * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
 730      * names use the well-established string formats for those types (subject to
 731      * the restrictions included in RFC 3280). IPv4 address names are
 732      * supplied using dotted quad notation. OID address names are represented
 733      * as a series of nonnegative integers separated by periods. And
 734      * directory names (distinguished names) are supplied in RFC 2253 format.
 735      * No standard string format is defined for otherNames, X.400 names,
 736      * EDI party names, IPv6 address names, or any other type of names. They
 737      * should be specified using the
 738      * {@link #addSubjectAlternativeName(int type, byte [] name)
 739      * addSubjectAlternativeName(int type, byte [] name)}
 740      * method.
 741      * <p>
 742      * <strong>Note:</strong> for distinguished names, use
 743      * {@linkplain #addSubjectAlternativeName(int, byte[])} instead.
 744      * This method should not be relied on as it can fail to match some
 745      * certificates because of a loss of encoding information in the RFC 2253
 746      * String form of some distinguished names.
 747      *
 748      * @param type the name type (0-8, as specified in
 749      *             RFC 3280, section 4.2.1.7)
 750      * @param name the name in string form (not {@code null})
 751      * @throws IOException if a parsing error occurs
 752      */
 753     public void addSubjectAlternativeName(int type, String name)
 754             throws IOException {
 755         addSubjectAlternativeNameInternal(type, name);
 756     }
 757 
 758     /**
 759      * Adds a name to the subjectAlternativeNames criterion. The
 760      * {@code X509Certificate} must contain all or at least one
 761      * of the specified subjectAlternativeNames, depending on the value of
 762      * the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
 763      * setMatchAllSubjectAltNames}).
 764      * <p>
 765      * This method allows the caller to add a name to the set of subject
 766      * alternative names.
 767      * The specified name is added to any previous value for the
 768      * subjectAlternativeNames criterion. If the specified name is a
 769      * duplicate, it may be ignored.
 770      * <p>
 771      * The name is provided as a byte array. This byte array should contain
 772      * the DER encoded name, as it would appear in the GeneralName structure
 773      * defined in RFC 3280 and X.509. The encoded byte array should only contain
 774      * the encoded value of the name, and should not include the tag associated
 775      * with the name in the GeneralName structure. The ASN.1 definition of this
 776      * structure appears below.
 777      * <pre>{@code
 778      *  GeneralName ::= CHOICE {
 779      *       otherName                       [0]     OtherName,
 780      *       rfc822Name                      [1]     IA5String,
 781      *       dNSName                         [2]     IA5String,
 782      *       x400Address                     [3]     ORAddress,
 783      *       directoryName                   [4]     Name,
 784      *       ediPartyName                    [5]     EDIPartyName,
 785      *       uniformResourceIdentifier       [6]     IA5String,
 786      *       iPAddress                       [7]     OCTET STRING,
 787      *       registeredID                    [8]     OBJECT IDENTIFIER}
 788      * }</pre>
 789      * <p>
 790      * Note that the byte array supplied here is cloned to protect against
 791      * subsequent modifications.
 792      *
 793      * @param type the name type (0-8, as listed above)
 794      * @param name a byte array containing the name in ASN.1 DER encoded form
 795      * @throws IOException if a parsing error occurs
 796      */
 797     public void addSubjectAlternativeName(int type, byte[] name)
 798             throws IOException {
 799         // clone because byte arrays are modifiable
 800         addSubjectAlternativeNameInternal(type, name.clone());
 801     }
 802 
 803     /**
 804      * A private method that adds a name (String or byte array) to the
 805      * subjectAlternativeNames criterion. The {@code X509Certificate}
 806      * must contain the specified subjectAlternativeName.
 807      *
 808      * @param type the name type (0-8, as specified in
 809      *             RFC 3280, section 4.2.1.7)
 810      * @param name the name in string or byte array form
 811      * @throws IOException if a parsing error occurs
 812      */
 813     private void addSubjectAlternativeNameInternal(int type, Object name)
 814             throws IOException {
 815         // First, ensure that the name parses
 816         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
 817         if (subjectAlternativeNames == null) {
 818             subjectAlternativeNames = new HashSet<List<?>>();
 819         }
 820         if (subjectAlternativeGeneralNames == null) {
 821             subjectAlternativeGeneralNames = new HashSet<GeneralNameInterface>();
 822         }
 823         List<Object> list = new ArrayList<Object>(2);
 824         list.add(Integer.valueOf(type));
 825         list.add(name);
 826         subjectAlternativeNames.add(list);
 827         subjectAlternativeGeneralNames.add(tempName);
 828     }
 829 
 830     /**
 831      * Parse an argument of the form passed to setSubjectAlternativeNames,
 832      * returning a {@code Collection} of
 833      * {@code GeneralNameInterface}s.
 834      * Throw an IllegalArgumentException or a ClassCastException
 835      * if the argument is malformed.
 836      *
 837      * @param names a Collection with one entry per name.
 838      *              Each entry is a {@code List} whose first entry
 839      *              is an Integer (the name type, 0-8) and whose second
 840      *              entry is a String or a byte array (the name, in
 841      *              string or ASN.1 DER encoded form, respectively).
 842      *              There can be multiple names of the same type. Null is
 843      *              not an acceptable value.
 844      * @return a Set of {@code GeneralNameInterface}s
 845      * @throws IOException if a parsing error occurs
 846      */
 847     private static Set<GeneralNameInterface> parseNames(Collection<List<?>> names) throws IOException {
 848         Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>();
 849         for (List<?> nameList : names) {
 850             if (nameList.size() != 2) {
 851                 throw new IOException("name list size not 2");
 852             }
 853             Object o =  nameList.get(0);
 854             if (!(o instanceof Integer)) {
 855                 throw new IOException("expected an Integer");
 856             }
 857             int nameType = ((Integer)o).intValue();
 858             o = nameList.get(1);
 859             genNames.add(makeGeneralNameInterface(nameType, o));
 860         }
 861 
 862         return genNames;
 863     }
 864 
 865     /**
 866      * Compare for equality two objects of the form passed to
 867      * setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames).
 868      * Throw an {@code IllegalArgumentException} or a
 869      * {@code ClassCastException} if one of the objects is malformed.
 870      *
 871      * @param object1 a Collection containing the first object to compare
 872      * @param object2 a Collection containing the second object to compare
 873      * @return true if the objects are equal, false otherwise
 874      */
 875     static boolean equalNames(Collection<?> object1, Collection<?> object2) {
 876         if ((object1 == null) || (object2 == null)) {
 877             return object1 == object2;
 878         }
 879         return object1.equals(object2);
 880     }
 881 
 882     /**
 883      * Make a {@code GeneralNameInterface} out of a name type (0-8) and an
 884      * Object that may be a byte array holding the ASN.1 DER encoded
 885      * name or a String form of the name.  Except for X.509
 886      * Distinguished Names, the String form of the name must not be the
 887      * result from calling toString on an existing GeneralNameInterface
 888      * implementing class.  The output of toString is not compatible
 889      * with the String constructors for names other than Distinguished
 890      * Names.
 891      *
 892      * @param type name type (0-8)
 893      * @param name name as ASN.1 Der-encoded byte array or String
 894      * @return a GeneralNameInterface name
 895      * @throws IOException if a parsing error occurs
 896      */
 897     static GeneralNameInterface makeGeneralNameInterface(int type, Object name)
 898             throws IOException {
 899         GeneralNameInterface result;
 900         if (debug != null) {
 901             debug.println("X509CertSelector.makeGeneralNameInterface("
 902                 + type + ")...");
 903         }
 904 
 905         if (name instanceof String) {
 906             if (debug != null) {
 907                 debug.println("X509CertSelector.makeGeneralNameInterface() "
 908                     + "name is String: " + name);
 909             }
 910             switch (type) {
 911             case NAME_RFC822:
 912                 result = new RFC822Name((String)name);
 913                 break;
 914             case NAME_DNS:
 915                 result = new DNSName((String)name);
 916                 break;
 917             case NAME_DIRECTORY:
 918                 result = new X500Name((String)name);
 919                 break;
 920             case NAME_URI:
 921                 result = new URIName((String)name);
 922                 break;
 923             case NAME_IP:
 924                 result = new IPAddressName((String)name);
 925                 break;
 926             case NAME_OID:
 927                 result = new OIDName((String)name);
 928                 break;
 929             default:
 930                 throw new IOException("unable to parse String names of type "
 931                                       + type);
 932             }
 933             if (debug != null) {
 934                 debug.println("X509CertSelector.makeGeneralNameInterface() "
 935                     + "result: " + result.toString());
 936             }
 937         } else if (name instanceof byte[]) {
 938             DerValue val = new DerValue((byte[]) name);
 939             if (debug != null) {
 940                 debug.println
 941                     ("X509CertSelector.makeGeneralNameInterface() is byte[]");
 942             }
 943 
 944             switch (type) {
 945             case NAME_ANY:
 946                 result = new OtherName(val);
 947                 break;
 948             case NAME_RFC822:
 949                 result = new RFC822Name(val);
 950                 break;
 951             case NAME_DNS:
 952                 result = new DNSName(val);
 953                 break;
 954             case NAME_X400:
 955                 result = new X400Address(val);
 956                 break;
 957             case NAME_DIRECTORY:
 958                 result = new X500Name(val);
 959                 break;
 960             case NAME_EDI:
 961                 result = new EDIPartyName(val);
 962                 break;
 963             case NAME_URI:
 964                 result = new URIName(val);
 965                 break;
 966             case NAME_IP:
 967                 result = new IPAddressName(val);
 968                 break;
 969             case NAME_OID:
 970                 result = new OIDName(val);
 971                 break;
 972             default:
 973                 throw new IOException("unable to parse byte array names of "
 974                     + "type " + type);
 975             }
 976             if (debug != null) {
 977                 debug.println("X509CertSelector.makeGeneralNameInterface() result: "
 978                     + result.toString());
 979             }
 980         } else {
 981             if (debug != null) {
 982                 debug.println("X509CertSelector.makeGeneralName() input name "
 983                     + "not String or byte array");
 984             }
 985             throw new IOException("name not String or byte array");
 986         }
 987         return result;
 988     }
 989 
 990 
 991     /**
 992      * Sets the name constraints criterion. The {@code X509Certificate}
 993      * must have subject and subject alternative names that
 994      * meet the specified name constraints.
 995      * <p>
 996      * The name constraints are specified as a byte array. This byte array
 997      * should contain the DER encoded form of the name constraints, as they
 998      * would appear in the NameConstraints structure defined in RFC 3280
 999      * and X.509. The ASN.1 definition of this structure appears below.
1000      *
1001      * <pre>{@code
1002      *  NameConstraints ::= SEQUENCE {
1003      *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
1004      *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
1005      *
1006      *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1007      *
1008      *  GeneralSubtree ::= SEQUENCE {
1009      *       base                    GeneralName,
1010      *       minimum         [0]     BaseDistance DEFAULT 0,
1011      *       maximum         [1]     BaseDistance OPTIONAL }
1012      *
1013      *  BaseDistance ::= INTEGER (0..MAX)
1014      *
1015      *  GeneralName ::= CHOICE {
1016      *       otherName                       [0]     OtherName,
1017      *       rfc822Name                      [1]     IA5String,
1018      *       dNSName                         [2]     IA5String,
1019      *       x400Address                     [3]     ORAddress,
1020      *       directoryName                   [4]     Name,
1021      *       ediPartyName                    [5]     EDIPartyName,
1022      *       uniformResourceIdentifier       [6]     IA5String,
1023      *       iPAddress                       [7]     OCTET STRING,
1024      *       registeredID                    [8]     OBJECT IDENTIFIER}
1025      * }</pre>
1026      * <p>
1027      * Note that the byte array supplied here is cloned to protect against
1028      * subsequent modifications.
1029      *
1030      * @param bytes a byte array containing the ASN.1 DER encoding of
1031      *              a NameConstraints extension to be used for checking
1032      *              name constraints. Only the value of the extension is
1033      *              included, not the OID or criticality flag. Can be
1034      *              {@code null},
1035      *              in which case no name constraints check will be performed.
1036      * @throws IOException if a parsing error occurs
1037      * @see #getNameConstraints
1038      */
1039     public void setNameConstraints(byte[] bytes) throws IOException {
1040         if (bytes == null) {
1041             ncBytes = null;
1042             nc = null;
1043         } else {
1044             ncBytes = bytes.clone();
1045             nc = new NameConstraintsExtension(FALSE, bytes);
1046         }
1047     }
1048 
1049     /**
1050      * Sets the basic constraints constraint. If the value is greater than or
1051      * equal to zero, {@code X509Certificates} must include a
1052      * basicConstraints extension with
1053      * a pathLen of at least this value. If the value is -2, only end-entity
1054      * certificates are accepted. If the value is -1, no check is done.
1055      * <p>
1056      * This constraint is useful when building a certification path forward
1057      * (from the target toward the trust anchor. If a partial path has been
1058      * built, any candidate certificate must have a maxPathLen value greater
1059      * than or equal to the number of certificates in the partial path.
1060      *
1061      * @param minMaxPathLen the value for the basic constraints constraint
1062      * @throws IllegalArgumentException if the value is less than -2
1063      * @see #getBasicConstraints
1064      */
1065     public void setBasicConstraints(int minMaxPathLen) {
1066         if (minMaxPathLen < -2) {
1067             throw new IllegalArgumentException("basic constraints less than -2");
1068         }
1069         basicConstraints = minMaxPathLen;
1070     }
1071 
1072     /**
1073      * Sets the policy constraint. The {@code X509Certificate} must
1074      * include at least one of the specified policies in its certificate
1075      * policies extension. If {@code certPolicySet} is empty, then the
1076      * {@code X509Certificate} must include at least some specified policy
1077      * in its certificate policies extension. If {@code certPolicySet} is
1078      * {@code null}, no policy check will be performed.
1079      * <p>
1080      * Note that the {@code Set} is cloned to protect against
1081      * subsequent modifications.
1082      *
1083      * @param certPolicySet a {@code Set} of certificate policy OIDs in
1084      *                      string format (or {@code null}). Each OID is
1085      *                      represented by a set of nonnegative integers
1086      *                    separated by periods.
1087      * @throws IOException if a parsing error occurs on the OID such as
1088      * the first component is not 0, 1 or 2 or the second component is
1089      * greater than 39.
1090      * @see #getPolicy
1091      */
1092     public void setPolicy(Set<String> certPolicySet) throws IOException {
1093         if (certPolicySet == null) {
1094             policySet = null;
1095             policy = null;
1096         } else {
1097             // Snapshot set and parse it
1098             Set<String> tempSet = Collections.unmodifiableSet
1099                                         (new HashSet<String>(certPolicySet));
1100             /* Convert to Vector of ObjectIdentifiers */
1101             Iterator<String> i = tempSet.iterator();
1102             Vector<CertificatePolicyId> polIdVector = new Vector<CertificatePolicyId>();
1103             while (i.hasNext()) {
1104                 Object o = i.next();
1105                 if (!(o instanceof String)) {
1106                     throw new IOException("non String in certPolicySet");
1107                 }
1108                 polIdVector.add(new CertificatePolicyId(new ObjectIdentifier(
1109                   (String)o)));
1110             }
1111             // If everything went OK, make the changes
1112             policySet = tempSet;
1113             policy = new CertificatePolicySet(polIdVector);
1114         }
1115     }
1116 
1117     /**
1118      * Sets the pathToNames criterion. The {@code X509Certificate} must
1119      * not include name constraints that would prohibit building a
1120      * path to the specified names.
1121      * <p>
1122      * This method allows the caller to specify, with a single method call,
1123      * the complete set of names which the {@code X509Certificates}'s
1124      * name constraints must permit. The specified value replaces
1125      * the previous value for the pathToNames criterion.
1126      * <p>
1127      * This constraint is useful when building a certification path forward
1128      * (from the target toward the trust anchor. If a partial path has been
1129      * built, any candidate certificate must not include name constraints that
1130      * would prohibit building a path to any of the names in the partial path.
1131      * <p>
1132      * The {@code names} parameter (if not {@code null}) is a
1133      * {@code Collection} with one
1134      * entry for each name to be included in the pathToNames
1135      * criterion. Each entry is a {@code List} whose first entry is an
1136      * {@code Integer} (the name type, 0-8) and whose second
1137      * entry is a {@code String} or a byte array (the name, in
1138      * string or ASN.1 DER encoded form, respectively).
1139      * There can be multiple names of the same type. If {@code null}
1140      * is supplied as the value for this argument, no
1141      * pathToNames check will be performed.
1142      * <p>
1143      * Each name in the {@code Collection}
1144      * may be specified either as a {@code String} or as an ASN.1 encoded
1145      * byte array. For more details about the formats used, see
1146      * {@link #addPathToName(int type, String name)
1147      * addPathToName(int type, String name)} and
1148      * {@link #addPathToName(int type, byte [] name)
1149      * addPathToName(int type, byte [] name)}.
1150      * <p>
1151      * <strong>Note:</strong> for distinguished names, specify the byte
1152      * array form instead of the String form. See the note in
1153      * {@link #addPathToName(int, String)} for more information.
1154      * <p>
1155      * Note that the {@code names} parameter can contain duplicate
1156      * names (same name and name type), but they may be removed from the
1157      * {@code Collection} of names returned by the
1158      * {@link #getPathToNames getPathToNames} method.
1159      * <p>
1160      * Note that a deep copy is performed on the {@code Collection} to
1161      * protect against subsequent modifications.
1162      *
1163      * @param names a {@code Collection} with one entry per name
1164      *              (or {@code null})
1165      * @throws IOException if a parsing error occurs
1166      * @see #getPathToNames
1167      */
1168     public void setPathToNames(Collection<List<?>> names) throws IOException {
1169         if ((names == null) || names.isEmpty()) {
1170             pathToNames = null;
1171             pathToGeneralNames = null;
1172         } else {
1173             Set<List<?>> tempNames = cloneAndCheckNames(names);
1174             pathToGeneralNames = parseNames(tempNames);
1175             // Ensure that we either set both of these or neither
1176             pathToNames = tempNames;
1177         }
1178     }
1179 
1180     // called from CertPathHelper
1181     void setPathToNamesInternal(Set<GeneralNameInterface> names) {
1182         // set names to non-null dummy value
1183         // this breaks getPathToNames()
1184         pathToNames = Collections.<List<?>>emptySet();
1185         pathToGeneralNames = names;
1186     }
1187 
1188     /**
1189      * Adds a name to the pathToNames criterion. The {@code X509Certificate}
1190      * must not include name constraints that would prohibit building a
1191      * path to the specified name.
1192      * <p>
1193      * This method allows the caller to add a name to the set of names which
1194      * the {@code X509Certificates}'s name constraints must permit.
1195      * The specified name is added to any previous value for the
1196      * pathToNames criterion.  If the name is a duplicate, it may be ignored.
1197      * <p>
1198      * The name is provided in string format. RFC 822, DNS, and URI names
1199      * use the well-established string formats for those types (subject to
1200      * the restrictions included in RFC 3280). IPv4 address names are
1201      * supplied using dotted quad notation. OID address names are represented
1202      * as a series of nonnegative integers separated by periods. And
1203      * directory names (distinguished names) are supplied in RFC 2253 format.
1204      * No standard string format is defined for otherNames, X.400 names,
1205      * EDI party names, IPv6 address names, or any other type of names. They
1206      * should be specified using the
1207      * {@link #addPathToName(int type, byte [] name)
1208      * addPathToName(int type, byte [] name)} method.
1209      * <p>
1210      * <strong>Note:</strong> for distinguished names, use
1211      * {@linkplain #addPathToName(int, byte[])} instead.
1212      * This method should not be relied on as it can fail to match some
1213      * certificates because of a loss of encoding information in the RFC 2253
1214      * String form of some distinguished names.
1215      *
1216      * @param type the name type (0-8, as specified in
1217      *             RFC 3280, section 4.2.1.7)
1218      * @param name the name in string form
1219      * @throws IOException if a parsing error occurs
1220      */
1221     public void addPathToName(int type, String name) throws IOException {
1222         addPathToNameInternal(type, name);
1223     }
1224 
1225     /**
1226      * Adds a name to the pathToNames criterion. The {@code X509Certificate}
1227      * must not include name constraints that would prohibit building a
1228      * path to the specified name.
1229      * <p>
1230      * This method allows the caller to add a name to the set of names which
1231      * the {@code X509Certificates}'s name constraints must permit.
1232      * The specified name is added to any previous value for the
1233      * pathToNames criterion. If the name is a duplicate, it may be ignored.
1234      * <p>
1235      * The name is provided as a byte array. This byte array should contain
1236      * the DER encoded name, as it would appear in the GeneralName structure
1237      * defined in RFC 3280 and X.509. The ASN.1 definition of this structure
1238      * appears in the documentation for
1239      * {@link #addSubjectAlternativeName(int type, byte [] name)
1240      * addSubjectAlternativeName(int type, byte [] name)}.
1241      * <p>
1242      * Note that the byte array supplied here is cloned to protect against
1243      * subsequent modifications.
1244      *
1245      * @param type the name type (0-8, as specified in
1246      *             RFC 3280, section 4.2.1.7)
1247      * @param name a byte array containing the name in ASN.1 DER encoded form
1248      * @throws IOException if a parsing error occurs
1249      */
1250     public void addPathToName(int type, byte [] name) throws IOException {
1251         // clone because byte arrays are modifiable
1252         addPathToNameInternal(type, name.clone());
1253     }
1254 
1255     /**
1256      * A private method that adds a name (String or byte array) to the
1257      * pathToNames criterion. The {@code X509Certificate} must contain
1258      * the specified pathToName.
1259      *
1260      * @param type the name type (0-8, as specified in
1261      *             RFC 3280, section 4.2.1.7)
1262      * @param name the name in string or byte array form
1263      * @throws IOException if an encoding error occurs (incorrect form for DN)
1264      */
1265     private void addPathToNameInternal(int type, Object name)
1266             throws IOException {
1267         // First, ensure that the name parses
1268         GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
1269         if (pathToGeneralNames == null) {
1270             pathToNames = new HashSet<List<?>>();
1271             pathToGeneralNames = new HashSet<GeneralNameInterface>();
1272         }
1273         List<Object> list = new ArrayList<Object>(2);
1274         list.add(Integer.valueOf(type));
1275         list.add(name);
1276         pathToNames.add(list);
1277         pathToGeneralNames.add(tempName);
1278     }
1279 
1280     /**
1281      * Returns the certificateEquals criterion. The specified
1282      * {@code X509Certificate} must be equal to the
1283      * {@code X509Certificate} passed to the {@code match} method.
1284      * If {@code null}, this check is not applied.
1285      *
1286      * @return the {@code X509Certificate} to match (or {@code null})
1287      * @see #setCertificate
1288      */
1289     public X509Certificate getCertificate() {
1290         return x509Cert;
1291     }
1292 
1293     /**
1294      * Returns the serialNumber criterion. The specified serial number
1295      * must match the certificate serial number in the
1296      * {@code X509Certificate}. If {@code null}, any certificate
1297      * serial number will do.
1298      *
1299      * @return the certificate serial number to match
1300      *                (or {@code null})
1301      * @see #setSerialNumber
1302      */
1303     public BigInteger getSerialNumber() {
1304         return serialNumber;
1305     }
1306 
1307     /**
1308      * Returns the issuer criterion as an {@code X500Principal}. This
1309      * distinguished name must match the issuer distinguished name in the
1310      * {@code X509Certificate}. If {@code null}, the issuer criterion
1311      * is disabled and any issuer distinguished name will do.
1312      *
1313      * @return the required issuer distinguished name as X500Principal
1314      *         (or {@code null})
1315      * @since 1.5
1316      */
1317     public X500Principal getIssuer() {
1318         return issuer;
1319     }
1320 
1321     /**
1322      * <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
1323      * {@linkplain #getIssuerAsBytes()} instead. This method should not be
1324      * relied on as it can fail to match some certificates because of a loss of
1325      * encoding information in the RFC 2253 String form of some distinguished
1326      * names.
1327      * <p>
1328      * Returns the issuer criterion as a {@code String}. This
1329      * distinguished name must match the issuer distinguished name in the
1330      * {@code X509Certificate}. If {@code null}, the issuer criterion
1331      * is disabled and any issuer distinguished name will do.
1332      * <p>
1333      * If the value returned is not {@code null}, it is a
1334      * distinguished name, in RFC 2253 format.
1335      *
1336      * @return the required issuer distinguished name in RFC 2253 format
1337      *         (or {@code null})
1338      */
1339     public String getIssuerAsString() {
1340         return (issuer == null ? null : issuer.getName());
1341     }
1342 
1343     /**
1344      * Returns the issuer criterion as a byte array. This distinguished name
1345      * must match the issuer distinguished name in the
1346      * {@code X509Certificate}. If {@code null}, the issuer criterion
1347      * is disabled and any issuer distinguished name will do.
1348      * <p>
1349      * If the value returned is not {@code null}, it is a byte
1350      * array containing a single DER encoded distinguished name, as defined in
1351      * X.501. The ASN.1 notation for this structure is supplied in the
1352      * documentation for
1353      * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
1354      * <p>
1355      * Note that the byte array returned is cloned to protect against
1356      * subsequent modifications.
1357      *
1358      * @return a byte array containing the required issuer distinguished name
1359      *         in ASN.1 DER format (or {@code null})
1360      * @throws IOException if an encoding error occurs
1361      */
1362     public byte[] getIssuerAsBytes() throws IOException {
1363         return (issuer == null ? null: issuer.getEncoded());
1364     }
1365 
1366     /**
1367      * Returns the subject criterion as an {@code X500Principal}. This
1368      * distinguished name must match the subject distinguished name in the
1369      * {@code X509Certificate}. If {@code null}, the subject criterion
1370      * is disabled and any subject distinguished name will do.
1371      *
1372      * @return the required subject distinguished name as X500Principal
1373      *         (or {@code null})
1374      * @since 1.5
1375      */
1376     public X500Principal getSubject() {
1377         return subject;
1378     }
1379 
1380     /**
1381      * <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
1382      * {@linkplain #getSubjectAsBytes()} instead. This method should not be
1383      * relied on as it can fail to match some certificates because of a loss of
1384      * encoding information in the RFC 2253 String form of some distinguished
1385      * names.
1386      * <p>
1387      * Returns the subject criterion as a {@code String}. This
1388      * distinguished name must match the subject distinguished name in the
1389      * {@code X509Certificate}. If {@code null}, the subject criterion
1390      * is disabled and any subject distinguished name will do.
1391      * <p>
1392      * If the value returned is not {@code null}, it is a
1393      * distinguished name, in RFC 2253 format.
1394      *
1395      * @return the required subject distinguished name in RFC 2253 format
1396      *         (or {@code null})
1397      */
1398     public String getSubjectAsString() {
1399         return (subject == null ? null : subject.getName());
1400     }
1401 
1402     /**
1403      * Returns the subject criterion as a byte array. This distinguished name
1404      * must match the subject distinguished name in the
1405      * {@code X509Certificate}. If {@code null}, the subject criterion
1406      * is disabled and any subject distinguished name will do.
1407      * <p>
1408      * If the value returned is not {@code null}, it is a byte
1409      * array containing a single DER encoded distinguished name, as defined in
1410      * X.501. The ASN.1 notation for this structure is supplied in the
1411      * documentation for
1412      * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
1413      * <p>
1414      * Note that the byte array returned is cloned to protect against
1415      * subsequent modifications.
1416      *
1417      * @return a byte array containing the required subject distinguished name
1418      *         in ASN.1 DER format (or {@code null})
1419      * @throws IOException if an encoding error occurs
1420      */
1421     public byte[] getSubjectAsBytes() throws IOException {
1422         return (subject == null ? null : subject.getEncoded());
1423     }
1424 
1425     /**
1426      * Returns the subjectKeyIdentifier criterion. The
1427      * {@code X509Certificate} must contain a SubjectKeyIdentifier
1428      * extension with the specified value. If {@code null}, no
1429      * subjectKeyIdentifier check will be done.
1430      * <p>
1431      * Note that the byte array returned is cloned to protect against
1432      * subsequent modifications.
1433      *
1434      * @return the key identifier (or {@code null})
1435      * @see #setSubjectKeyIdentifier
1436      */
1437     public byte[] getSubjectKeyIdentifier() {
1438         if (subjectKeyID == null) {
1439             return null;
1440         }
1441         return subjectKeyID.clone();
1442     }
1443 
1444     /**
1445      * Returns the authorityKeyIdentifier criterion. The
1446      * {@code X509Certificate} must contain a AuthorityKeyIdentifier
1447      * extension with the specified value. If {@code null}, no
1448      * authorityKeyIdentifier check will be done.
1449      * <p>
1450      * Note that the byte array returned is cloned to protect against
1451      * subsequent modifications.
1452      *
1453      * @return the key identifier (or {@code null})
1454      * @see #setAuthorityKeyIdentifier
1455      */
1456     public byte[] getAuthorityKeyIdentifier() {
1457         if (authorityKeyID == null) {
1458           return null;
1459         }
1460         return authorityKeyID.clone();
1461     }
1462 
1463     /**
1464      * Returns the certificateValid criterion. The specified date must fall
1465      * within the certificate validity period for the
1466      * {@code X509Certificate}. If {@code null}, no certificateValid
1467      * check will be done.
1468      * <p>
1469      * Note that the {@code Date} returned is cloned to protect against
1470      * subsequent modifications.
1471      *
1472      * @return the {@code Date} to check (or {@code null})
1473      * @see #setCertificateValid
1474      */
1475     public Date getCertificateValid() {
1476         if (certificateValid == null) {
1477             return null;
1478         }
1479         return (Date)certificateValid.clone();
1480     }
1481 
1482     /**
1483      * Returns the privateKeyValid criterion. The specified date must fall
1484      * within the private key validity period for the
1485      * {@code X509Certificate}. If {@code null}, no privateKeyValid
1486      * check will be done.
1487      * <p>
1488      * Note that the {@code Date} returned is cloned to protect against
1489      * subsequent modifications.
1490      *
1491      * @return the {@code Date} to check (or {@code null})
1492      * @see #setPrivateKeyValid
1493      */
1494     public Date getPrivateKeyValid() {
1495         if (privateKeyValid == null) {
1496             return null;
1497         }
1498         return (Date)privateKeyValid.clone();
1499     }
1500 
1501     /**
1502      * Returns the subjectPublicKeyAlgID criterion. The
1503      * {@code X509Certificate} must contain a subject public key
1504      * with the specified algorithm. If {@code null}, no
1505      * subjectPublicKeyAlgID check will be done.
1506      *
1507      * @return the object identifier (OID) of the signature algorithm to check
1508      *         for (or {@code null}). An OID is represented by a set of
1509      *         nonnegative integers separated by periods.
1510      * @see #setSubjectPublicKeyAlgID
1511      */
1512     public String getSubjectPublicKeyAlgID() {
1513         if (subjectPublicKeyAlgID == null) {
1514             return null;
1515         }
1516         return subjectPublicKeyAlgID.toString();
1517     }
1518 
1519     /**
1520      * Returns the subjectPublicKey criterion. The
1521      * {@code X509Certificate} must contain the specified subject
1522      * public key. If {@code null}, no subjectPublicKey check will be done.
1523      *
1524      * @return the subject public key to check for (or {@code null})
1525      * @see #setSubjectPublicKey
1526      */
1527     public PublicKey getSubjectPublicKey() {
1528         return subjectPublicKey;
1529     }
1530 
1531     /**
1532      * Returns the keyUsage criterion. The {@code X509Certificate}
1533      * must allow the specified keyUsage values. If null, no keyUsage
1534      * check will be done.
1535      * <p>
1536      * Note that the boolean array returned is cloned to protect against
1537      * subsequent modifications.
1538      *
1539      * @return a boolean array in the same format as the boolean
1540      *                 array returned by
1541      * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
1542      *                 Or {@code null}.
1543      * @see #setKeyUsage
1544      */
1545     public boolean[] getKeyUsage() {
1546         if (keyUsage == null) {
1547             return null;
1548         }
1549         return keyUsage.clone();
1550     }
1551 
1552     /**
1553      * Returns the extendedKeyUsage criterion. The {@code X509Certificate}
1554      * must allow the specified key purposes in its extended key usage
1555      * extension. If the {@code keyPurposeSet} returned is empty or
1556      * {@code null}, no extendedKeyUsage check will be done. Note that an
1557      * {@code X509Certificate} that has no extendedKeyUsage extension
1558      * implicitly allows all key purposes.
1559      *
1560      * @return an immutable {@code Set} of key purpose OIDs in string
1561      * format (or {@code null})
1562      * @see #setExtendedKeyUsage
1563      */
1564     public Set<String> getExtendedKeyUsage() {
1565         return keyPurposeSet;
1566     }
1567 
1568     /**
1569      * Indicates if the {@code X509Certificate} must contain all
1570      * or at least one of the subjectAlternativeNames
1571      * specified in the {@link #setSubjectAlternativeNames
1572      * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
1573      * addSubjectAlternativeName} methods. If {@code true},
1574      * the {@code X509Certificate} must contain all of the
1575      * specified subject alternative names. If {@code false}, the
1576      * {@code X509Certificate} must contain at least one of the
1577      * specified subject alternative names.
1578      *
1579      * @return {@code true} if the flag is enabled;
1580      * {@code false} if the flag is disabled. The flag is
1581      * {@code true} by default.
1582      * @see #setMatchAllSubjectAltNames
1583      */
1584     public boolean getMatchAllSubjectAltNames() {
1585         return matchAllSubjectAltNames;
1586     }
1587 
1588     /**
1589      * Returns a copy of the subjectAlternativeNames criterion.
1590      * The {@code X509Certificate} must contain all or at least one
1591      * of the specified subjectAlternativeNames, depending on the value
1592      * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames
1593      * getMatchAllSubjectAltNames}). If the value returned is
1594      * {@code null}, no subjectAlternativeNames check will be performed.
1595      * <p>
1596      * If the value returned is not {@code null}, it is a
1597      * {@code Collection} with
1598      * one entry for each name to be included in the subject alternative name
1599      * criterion. Each entry is a {@code List} whose first entry is an
1600      * {@code Integer} (the name type, 0-8) and whose second
1601      * entry is a {@code String} or a byte array (the name, in
1602      * string or ASN.1 DER encoded form, respectively).
1603      * There can be multiple names of the same type.  Note that the
1604      * {@code Collection} returned may contain duplicate names (same name
1605      * and name type).
1606      * <p>
1607      * Each subject alternative name in the {@code Collection}
1608      * may be specified either as a {@code String} or as an ASN.1 encoded
1609      * byte array. For more details about the formats used, see
1610      * {@link #addSubjectAlternativeName(int type, String name)
1611      * addSubjectAlternativeName(int type, String name)} and
1612      * {@link #addSubjectAlternativeName(int type, byte [] name)
1613      * addSubjectAlternativeName(int type, byte [] name)}.
1614      * <p>
1615      * Note that a deep copy is performed on the {@code Collection} to
1616      * protect against subsequent modifications.
1617      *
1618      * @return a {@code Collection} of names (or {@code null})
1619      * @see #setSubjectAlternativeNames
1620      */
1621     public Collection<List<?>> getSubjectAlternativeNames() {
1622         if (subjectAlternativeNames == null) {
1623             return null;
1624         }
1625         return cloneNames(subjectAlternativeNames);
1626     }
1627 
1628     /**
1629      * Clone an object of the form passed to
1630      * setSubjectAlternativeNames and setPathToNames.
1631      * Throw a {@code RuntimeException} if the argument is malformed.
1632      * <p>
1633      * This method wraps cloneAndCheckNames, changing any
1634      * {@code IOException} into a {@code RuntimeException}. This
1635      * method should be used when the object being
1636      * cloned has already been checked, so there should never be any exceptions.
1637      *
1638      * @param names a {@code Collection} with one entry per name.
1639      *              Each entry is a {@code List} whose first entry
1640      *              is an Integer (the name type, 0-8) and whose second
1641      *              entry is a String or a byte array (the name, in
1642      *              string or ASN.1 DER encoded form, respectively).
1643      *              There can be multiple names of the same type. Null
1644      *              is not an acceptable value.
1645      * @return a deep copy of the specified {@code Collection}
1646      * @throws RuntimeException if a parsing error occurs
1647      */
1648     private static Set<List<?>> cloneNames(Collection<List<?>> names) {
1649         try {
1650             return cloneAndCheckNames(names);
1651         } catch (IOException e) {
1652             throw new RuntimeException("cloneNames encountered IOException: " +
1653                                        e.getMessage());
1654         }
1655     }
1656 
1657     /**
1658      * Clone and check an argument of the form passed to
1659      * setSubjectAlternativeNames and setPathToNames.
1660      * Throw an {@code IOException} if the argument is malformed.
1661      *
1662      * @param names a {@code Collection} with one entry per name.
1663      *              Each entry is a {@code List} whose first entry
1664      *              is an Integer (the name type, 0-8) and whose second
1665      *              entry is a String or a byte array (the name, in
1666      *              string or ASN.1 DER encoded form, respectively).
1667      *              There can be multiple names of the same type.
1668      *              {@code null} is not an acceptable value.
1669      * @return a deep copy of the specified {@code Collection}
1670      * @throws IOException if a parsing error occurs
1671      */
1672     private static Set<List<?>> cloneAndCheckNames(Collection<List<?>> names) throws IOException {
1673         // Copy the Lists and Collection
1674         Set<List<?>> namesCopy = new HashSet<List<?>>();
1675         for (List<?> o : names)
1676         {
1677             namesCopy.add(new ArrayList<Object>(o));
1678         }
1679 
1680         // Check the contents of the Lists and clone any byte arrays
1681         for (List<?> list : namesCopy) {
1682             @SuppressWarnings("unchecked") // See javadoc for parameter "names".
1683             List<Object> nameList = (List<Object>)list;
1684             if (nameList.size() != 2) {
1685                 throw new IOException("name list size not 2");
1686             }
1687             Object o = nameList.get(0);
1688             if (!(o instanceof Integer)) {
1689                 throw new IOException("expected an Integer");
1690             }
1691             int nameType = ((Integer)o).intValue();
1692             if ((nameType < 0) || (nameType > 8)) {
1693                 throw new IOException("name type not 0-8");
1694             }
1695             Object nameObject = nameList.get(1);
1696             if (!(nameObject instanceof byte[]) &&
1697                 !(nameObject instanceof String)) {
1698                 if (debug != null) {
1699                     debug.println("X509CertSelector.cloneAndCheckNames() "
1700                         + "name not byte array");
1701                 }
1702                 throw new IOException("name not byte array or String");
1703             }
1704             if (nameObject instanceof byte[]) {
1705                 nameList.set(1, ((byte[]) nameObject).clone());
1706             }
1707         }
1708         return namesCopy;
1709     }
1710 
1711     /**
1712      * Returns the name constraints criterion. The {@code X509Certificate}
1713      * must have subject and subject alternative names that
1714      * meet the specified name constraints.
1715      * <p>
1716      * The name constraints are returned as a byte array. This byte array
1717      * contains the DER encoded form of the name constraints, as they
1718      * would appear in the NameConstraints structure defined in RFC 3280
1719      * and X.509. The ASN.1 notation for this structure is supplied in the
1720      * documentation for
1721      * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}.
1722      * <p>
1723      * Note that the byte array returned is cloned to protect against
1724      * subsequent modifications.
1725      *
1726      * @return a byte array containing the ASN.1 DER encoding of
1727      *         a NameConstraints extension used for checking name constraints.
1728      *         {@code null} if no name constraints check will be performed.
1729      * @see #setNameConstraints
1730      */
1731     public byte[] getNameConstraints() {
1732         if (ncBytes == null) {
1733             return null;
1734         } else {
1735             return ncBytes.clone();
1736         }
1737     }
1738 
1739     /**
1740      * Returns the basic constraints constraint. If the value is greater than
1741      * or equal to zero, the {@code X509Certificates} must include a
1742      * basicConstraints extension with a pathLen of at least this value.
1743      * If the value is -2, only end-entity certificates are accepted. If
1744      * the value is -1, no basicConstraints check is done.
1745      *
1746      * @return the value for the basic constraints constraint
1747      * @see #setBasicConstraints
1748      */
1749     public int getBasicConstraints() {
1750         return basicConstraints;
1751     }
1752 
1753     /**
1754      * Returns the policy criterion. The {@code X509Certificate} must
1755      * include at least one of the specified policies in its certificate policies
1756      * extension. If the {@code Set} returned is empty, then the
1757      * {@code X509Certificate} must include at least some specified policy
1758      * in its certificate policies extension. If the {@code Set} returned is
1759      * {@code null}, no policy check will be performed.
1760      *
1761      * @return an immutable {@code Set} of certificate policy OIDs in
1762      *         string format (or {@code null})
1763      * @see #setPolicy
1764      */
1765     public Set<String> getPolicy() {
1766         return policySet;
1767     }
1768 
1769     /**
1770      * Returns a copy of the pathToNames criterion. The
1771      * {@code X509Certificate} must not include name constraints that would
1772      * prohibit building a path to the specified names. If the value
1773      * returned is {@code null}, no pathToNames check will be performed.
1774      * <p>
1775      * If the value returned is not {@code null}, it is a
1776      * {@code Collection} with one
1777      * entry for each name to be included in the pathToNames
1778      * criterion. Each entry is a {@code List} whose first entry is an
1779      * {@code Integer} (the name type, 0-8) and whose second
1780      * entry is a {@code String} or a byte array (the name, in
1781      * string or ASN.1 DER encoded form, respectively).
1782      * There can be multiple names of the same type. Note that the
1783      * {@code Collection} returned may contain duplicate names (same
1784      * name and name type).
1785      * <p>
1786      * Each name in the {@code Collection}
1787      * may be specified either as a {@code String} or as an ASN.1 encoded
1788      * byte array. For more details about the formats used, see
1789      * {@link #addPathToName(int type, String name)
1790      * addPathToName(int type, String name)} and
1791      * {@link #addPathToName(int type, byte [] name)
1792      * addPathToName(int type, byte [] name)}.
1793      * <p>
1794      * Note that a deep copy is performed on the {@code Collection} to
1795      * protect against subsequent modifications.
1796      *
1797      * @return a {@code Collection} of names (or {@code null})
1798      * @see #setPathToNames
1799      */
1800     public Collection<List<?>> getPathToNames() {
1801         if (pathToNames == null) {
1802             return null;
1803         }
1804         return cloneNames(pathToNames);
1805     }
1806 
1807     /**
1808      * Return a printable representation of the {@code CertSelector}.
1809      *
1810      * @return a {@code String} describing the contents of the
1811      *         {@code CertSelector}
1812      */
1813     public String toString() {
1814         StringBuilder sb = new StringBuilder();
1815         sb.append("X509CertSelector: [\n");
1816         if (x509Cert != null) {
1817             sb.append("  Certificate: " + x509Cert.toString() + "\n");
1818         }
1819         if (serialNumber != null) {
1820             sb.append("  Serial Number: " + serialNumber.toString() + "\n");
1821         }
1822         if (issuer != null) {
1823             sb.append("  Issuer: " + getIssuerAsString() + "\n");
1824         }
1825         if (subject != null) {
1826             sb.append("  Subject: " + getSubjectAsString() + "\n");
1827         }
1828         sb.append("  matchAllSubjectAltNames flag: "
1829                   + String.valueOf(matchAllSubjectAltNames) + "\n");
1830         if (subjectAlternativeNames != null) {
1831             sb.append("  SubjectAlternativeNames:\n");
1832             Iterator<List<?>> i = subjectAlternativeNames.iterator();
1833             while (i.hasNext()) {
1834                 List<?> list = i.next();
1835                 sb.append("    type " + list.get(0) +
1836                           ", name " + list.get(1) + "\n");
1837             }
1838         }
1839         if (subjectKeyID != null) {
1840             HexDumpEncoder enc = new HexDumpEncoder();
1841             sb.append("  Subject Key Identifier: " +
1842                       enc.encodeBuffer(subjectKeyID) + "\n");
1843         }
1844         if (authorityKeyID != null) {
1845             HexDumpEncoder enc = new HexDumpEncoder();
1846             sb.append("  Authority Key Identifier: " +
1847                       enc.encodeBuffer(authorityKeyID) + "\n");
1848         }
1849         if (certificateValid != null) {
1850             sb.append("  Certificate Valid: " +
1851                       certificateValid.toString() + "\n");
1852         }
1853         if (privateKeyValid != null) {
1854             sb.append("  Private Key Valid: " +
1855                       privateKeyValid.toString() + "\n");
1856         }
1857         if (subjectPublicKeyAlgID != null) {
1858             sb.append("  Subject Public Key AlgID: " +
1859                       subjectPublicKeyAlgID.toString() + "\n");
1860         }
1861         if (subjectPublicKey != null) {
1862             sb.append("  Subject Public Key: " +
1863                       subjectPublicKey.toString() + "\n");
1864         }
1865         if (keyUsage != null) {
1866             sb.append("  Key Usage: " + keyUsageToString(keyUsage) + "\n");
1867         }
1868         if (keyPurposeSet != null) {
1869             sb.append("  Extended Key Usage: " +
1870                       keyPurposeSet.toString() + "\n");
1871         }
1872         if (policy != null) {
1873             sb.append("  Policy: " + policy.toString() + "\n");
1874         }
1875         if (pathToGeneralNames != null) {
1876             sb.append("  Path to names:\n");
1877             Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator();
1878             while (i.hasNext()) {
1879                 sb.append("    " + i.next() + "\n");
1880             }
1881         }
1882         sb.append("]");
1883         return sb.toString();
1884     }
1885 
1886     // Copied from sun.security.x509.KeyUsageExtension
1887     // (without calling the superclass)
1888     /**
1889      * Returns a printable representation of the KeyUsage.
1890      */
1891     private static String keyUsageToString(boolean[] k) {
1892         String s = "KeyUsage [\n";
1893         try {
1894             if (k[0]) {
1895                 s += "  DigitalSignature\n";
1896             }
1897             if (k[1]) {
1898                 s += "  Non_repudiation\n";
1899             }
1900             if (k[2]) {
1901                 s += "  Key_Encipherment\n";
1902             }
1903             if (k[3]) {
1904                 s += "  Data_Encipherment\n";
1905             }
1906             if (k[4]) {
1907                 s += "  Key_Agreement\n";
1908             }
1909             if (k[5]) {
1910                 s += "  Key_CertSign\n";
1911             }
1912             if (k[6]) {
1913                 s += "  Crl_Sign\n";
1914             }
1915             if (k[7]) {
1916                 s += "  Encipher_Only\n";
1917             }
1918             if (k[8]) {
1919                 s += "  Decipher_Only\n";
1920             }
1921         } catch (ArrayIndexOutOfBoundsException ex) {}
1922 
1923         s += "]\n";
1924 
1925         return (s);
1926     }
1927 
1928     /**
1929      * Returns an Extension object given any X509Certificate and extension oid.
1930      * Throw an {@code IOException} if the extension byte value is
1931      * malformed.
1932      *
1933      * @param cert a {@code X509Certificate}
1934      * @param extId an {@code integer} which specifies the extension index.
1935      * Currently, the supported extensions are as follows:
1936      * index 0 - PrivateKeyUsageExtension
1937      * index 1 - SubjectAlternativeNameExtension
1938      * index 2 - NameConstraintsExtension
1939      * index 3 - CertificatePoliciesExtension
1940      * index 4 - ExtendedKeyUsageExtension
1941      * @return an {@code Extension} object whose real type is as specified
1942      * by the extension oid.
1943      * @throws IOException if cannot construct the {@code Extension}
1944      * object with the extension encoding retrieved from the passed in
1945      * {@code X509Certificate}.
1946      */
1947     private static Extension getExtensionObject(X509Certificate cert, int extId)
1948             throws IOException {
1949         if (cert instanceof X509CertImpl) {
1950             X509CertImpl impl = (X509CertImpl)cert;
1951             switch (extId) {
1952             case PRIVATE_KEY_USAGE_ID:
1953                 return impl.getPrivateKeyUsageExtension();
1954             case SUBJECT_ALT_NAME_ID:
1955                 return impl.getSubjectAlternativeNameExtension();
1956             case NAME_CONSTRAINTS_ID:
1957                 return impl.getNameConstraintsExtension();
1958             case CERT_POLICIES_ID:
1959                 return impl.getCertificatePoliciesExtension();
1960             case EXTENDED_KEY_USAGE_ID:
1961                 return impl.getExtendedKeyUsageExtension();
1962             default:
1963                 return null;
1964             }
1965         }
1966         byte[] rawExtVal = cert.getExtensionValue(EXTENSION_OIDS[extId]);
1967         if (rawExtVal == null) {
1968             return null;
1969         }
1970         DerInputStream in = new DerInputStream(rawExtVal);
1971         byte[] encoded = in.getOctetString();
1972         switch (extId) {
1973         case PRIVATE_KEY_USAGE_ID:
1974             try {
1975                 return new PrivateKeyUsageExtension(FALSE, encoded);
1976             } catch (CertificateException ex) {
1977                 throw new IOException(ex.getMessage());
1978             }
1979         case SUBJECT_ALT_NAME_ID:
1980             return new SubjectAlternativeNameExtension(FALSE, encoded);
1981         case NAME_CONSTRAINTS_ID:
1982             return new NameConstraintsExtension(FALSE, encoded);
1983         case CERT_POLICIES_ID:
1984             return new CertificatePoliciesExtension(FALSE, encoded);
1985         case EXTENDED_KEY_USAGE_ID:
1986             return new ExtendedKeyUsageExtension(FALSE, encoded);
1987         default:
1988             return null;
1989         }
1990     }
1991 
1992     /**
1993      * Decides whether a {@code Certificate} should be selected.
1994      *
1995      * @param cert the {@code Certificate} to be checked
1996      * @return {@code true} if the {@code Certificate} should be
1997      *         selected, {@code false} otherwise
1998      */
1999     public boolean match(Certificate cert) {
2000         if (!(cert instanceof X509Certificate)) {
2001             return false;
2002         }
2003         X509Certificate xcert = (X509Certificate)cert;
2004 
2005         if (debug != null) {
2006             debug.println("X509CertSelector.match(SN: "
2007                 + (xcert.getSerialNumber()).toString(16) + "\n  Issuer: "
2008                 + xcert.getIssuerDN() + "\n  Subject: " + xcert.getSubjectDN()
2009                 + ")");
2010         }
2011 
2012         /* match on X509Certificate */
2013         if (x509Cert != null) {
2014             if (!x509Cert.equals(xcert)) {
2015                 if (debug != null) {
2016                     debug.println("X509CertSelector.match: "
2017                         + "certs don't match");
2018                 }
2019                 return false;
2020             }
2021         }
2022 
2023         /* match on serial number */
2024         if (serialNumber != null) {
2025             if (!serialNumber.equals(xcert.getSerialNumber())) {
2026                 if (debug != null) {
2027                     debug.println("X509CertSelector.match: "
2028                         + "serial numbers don't match");
2029                 }
2030                 return false;
2031             }
2032         }
2033 
2034         /* match on issuer name */
2035         if (issuer != null) {
2036             if (!issuer.equals(xcert.getIssuerX500Principal())) {
2037                 if (debug != null) {
2038                     debug.println("X509CertSelector.match: "
2039                         + "issuer DNs don't match");
2040                 }
2041                 return false;
2042             }
2043         }
2044 
2045         /* match on subject name */
2046         if (subject != null) {
2047             if (!subject.equals(xcert.getSubjectX500Principal())) {
2048                 if (debug != null) {
2049                     debug.println("X509CertSelector.match: "
2050                         + "subject DNs don't match");
2051                 }
2052                 return false;
2053             }
2054         }
2055 
2056         /* match on certificate validity range */
2057         if (certificateValid != null) {
2058             try {
2059                 xcert.checkValidity(certificateValid);
2060             } catch (CertificateException e) {
2061                 if (debug != null) {
2062                     debug.println("X509CertSelector.match: "
2063                         + "certificate not within validity period");
2064                 }
2065                 return false;
2066             }
2067         }
2068 
2069         /* match on subject public key */
2070         if (subjectPublicKeyBytes != null) {
2071             byte[] certKey = xcert.getPublicKey().getEncoded();
2072             if (!Arrays.equals(subjectPublicKeyBytes, certKey)) {
2073                 if (debug != null) {
2074                     debug.println("X509CertSelector.match: "
2075                         + "subject public keys don't match");
2076                 }
2077                 return false;
2078             }
2079         }
2080 
2081         boolean result = matchBasicConstraints(xcert)
2082                       && matchKeyUsage(xcert)
2083                       && matchExtendedKeyUsage(xcert)
2084                       && matchSubjectKeyID(xcert)
2085                       && matchAuthorityKeyID(xcert)
2086                       && matchPrivateKeyValid(xcert)
2087                       && matchSubjectPublicKeyAlgID(xcert)
2088                       && matchPolicy(xcert)
2089                       && matchSubjectAlternativeNames(xcert)
2090                       && matchPathToNames(xcert)
2091                       && matchNameConstraints(xcert);
2092 
2093         if (result && (debug != null)) {
2094             debug.println("X509CertSelector.match returning: true");
2095         }
2096         return result;
2097     }
2098 
2099     /* match on subject key identifier extension value */
2100     private boolean matchSubjectKeyID(X509Certificate xcert) {
2101         if (subjectKeyID == null) {
2102             return true;
2103         }
2104         try {
2105             byte[] extVal = xcert.getExtensionValue("2.5.29.14");
2106             if (extVal == null) {
2107                 if (debug != null) {
2108                     debug.println("X509CertSelector.match: "
2109                         + "no subject key ID extension");
2110                 }
2111                 return false;
2112             }
2113             DerInputStream in = new DerInputStream(extVal);
2114             byte[] certSubjectKeyID = in.getOctetString();
2115             if (certSubjectKeyID == null ||
2116                     !Arrays.equals(subjectKeyID, certSubjectKeyID)) {
2117                 if (debug != null) {
2118                     debug.println("X509CertSelector.match: "
2119                         + "subject key IDs don't match");
2120                 }
2121                 return false;
2122             }
2123         } catch (IOException ex) {
2124             if (debug != null) {
2125                 debug.println("X509CertSelector.match: "
2126                     + "exception in subject key ID check");
2127             }
2128             return false;
2129         }
2130         return true;
2131     }
2132 
2133     /* match on authority key identifier extension value */
2134     private boolean matchAuthorityKeyID(X509Certificate xcert) {
2135         if (authorityKeyID == null) {
2136             return true;
2137         }
2138         try {
2139             byte[] extVal = xcert.getExtensionValue("2.5.29.35");
2140             if (extVal == null) {
2141                 if (debug != null) {
2142                     debug.println("X509CertSelector.match: "
2143                         + "no authority key ID extension");
2144                 }
2145                 return false;
2146             }
2147             DerInputStream in = new DerInputStream(extVal);
2148             byte[] certAuthKeyID = in.getOctetString();
2149             if (certAuthKeyID == null ||
2150                     !Arrays.equals(authorityKeyID, certAuthKeyID)) {
2151                 if (debug != null) {
2152                     debug.println("X509CertSelector.match: "
2153                         + "authority key IDs don't match");
2154                 }
2155                 return false;
2156             }
2157         } catch (IOException ex) {
2158             if (debug != null) {
2159                 debug.println("X509CertSelector.match: "
2160                     + "exception in authority key ID check");
2161             }
2162             return false;
2163         }
2164         return true;
2165     }
2166 
2167     /* match on private key usage range */
2168     private boolean matchPrivateKeyValid(X509Certificate xcert) {
2169         if (privateKeyValid == null) {
2170             return true;
2171         }
2172         PrivateKeyUsageExtension ext = null;
2173         try {
2174             ext = (PrivateKeyUsageExtension)
2175                 getExtensionObject(xcert, PRIVATE_KEY_USAGE_ID);
2176             if (ext != null) {
2177                 ext.valid(privateKeyValid);
2178             }
2179         } catch (CertificateExpiredException e1) {
2180             if (debug != null) {
2181                 String time = "n/a";
2182                 try {
2183                     Date notAfter = ext.get(PrivateKeyUsageExtension.NOT_AFTER);
2184                     time = notAfter.toString();
2185                 } catch (CertificateException ex) {
2186                     // not able to retrieve notAfter value
2187                 }
2188                 debug.println("X509CertSelector.match: private key usage not "
2189                     + "within validity date; ext.NOT_After: "
2190                     + time + "; X509CertSelector: "
2191                     + this.toString());
2192                 e1.printStackTrace();
2193             }
2194             return false;
2195         } catch (CertificateNotYetValidException e2) {
2196             if (debug != null) {
2197                 String time = "n/a";
2198                 try {
2199                     Date notBefore = ext.get(PrivateKeyUsageExtension.NOT_BEFORE);
2200                     time = notBefore.toString();
2201                 } catch (CertificateException ex) {
2202                     // not able to retrieve notBefore value
2203                 }
2204                 debug.println("X509CertSelector.match: private key usage not "
2205                     + "within validity date; ext.NOT_BEFORE: "
2206                     + time + "; X509CertSelector: "
2207                     + this.toString());
2208                 e2.printStackTrace();
2209             }
2210             return false;
2211         } catch (IOException e4) {
2212             if (debug != null) {
2213                 debug.println("X509CertSelector.match: IOException in "
2214                     + "private key usage check; X509CertSelector: "
2215                     + this.toString());
2216                 e4.printStackTrace();
2217             }
2218             return false;
2219         }
2220         return true;
2221     }
2222 
2223     /* match on subject public key algorithm OID */
2224     private boolean matchSubjectPublicKeyAlgID(X509Certificate xcert) {
2225         if (subjectPublicKeyAlgID == null) {
2226             return true;
2227         }
2228         try {
2229             byte[] encodedKey = xcert.getPublicKey().getEncoded();
2230             DerValue val = new DerValue(encodedKey);
2231             if (val.tag != DerValue.tag_Sequence) {
2232                 throw new IOException("invalid key format");
2233             }
2234 
2235             AlgorithmId algID = AlgorithmId.parse(val.data.getDerValue());
2236             if (debug != null) {
2237                 debug.println("X509CertSelector.match: subjectPublicKeyAlgID = "
2238                     + subjectPublicKeyAlgID + ", xcert subjectPublicKeyAlgID = "
2239                     + algID.getOID());
2240             }
2241             if (!subjectPublicKeyAlgID.equals((Object)algID.getOID())) {
2242                 if (debug != null) {
2243                     debug.println("X509CertSelector.match: "
2244                         + "subject public key alg IDs don't match");
2245                 }
2246                 return false;
2247             }
2248         } catch (IOException e5) {
2249             if (debug != null) {
2250                 debug.println("X509CertSelector.match: IOException in subject "
2251                     + "public key algorithm OID check");
2252             }
2253             return false;
2254         }
2255         return true;
2256     }
2257 
2258     /* match on key usage extension value */
2259     private boolean matchKeyUsage(X509Certificate xcert) {
2260         if (keyUsage == null) {
2261             return true;
2262         }
2263         boolean[] certKeyUsage = xcert.getKeyUsage();
2264         if (certKeyUsage != null) {
2265             for (int keyBit = 0; keyBit < keyUsage.length; keyBit++) {
2266                 if (keyUsage[keyBit] &&
2267                     ((keyBit >= certKeyUsage.length) || !certKeyUsage[keyBit])) {
2268                     if (debug != null) {
2269                         debug.println("X509CertSelector.match: "
2270                             + "key usage bits don't match");
2271                     }
2272                     return false;
2273                 }
2274             }
2275         }
2276         return true;
2277     }
2278 
2279     /* match on extended key usage purpose OIDs */
2280     private boolean matchExtendedKeyUsage(X509Certificate xcert) {
2281         if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
2282             return true;
2283         }
2284         try {
2285             ExtendedKeyUsageExtension ext =
2286                 (ExtendedKeyUsageExtension)getExtensionObject(xcert,
2287                                                 EXTENDED_KEY_USAGE_ID);
2288             if (ext != null) {
2289                 Vector<ObjectIdentifier> certKeyPurposeVector =
2290                     ext.get(ExtendedKeyUsageExtension.USAGES);
2291                 if (!certKeyPurposeVector.contains(ANY_EXTENDED_KEY_USAGE)
2292                         && !certKeyPurposeVector.containsAll(keyPurposeOIDSet)) {
2293                     if (debug != null) {
2294                         debug.println("X509CertSelector.match: cert failed "
2295                             + "extendedKeyUsage criterion");
2296                     }
2297                     return false;
2298                 }
2299             }
2300         } catch (IOException ex) {
2301             if (debug != null) {
2302                 debug.println("X509CertSelector.match: "
2303                     + "IOException in extended key usage check");
2304             }
2305             return false;
2306         }
2307         return true;
2308     }
2309 
2310     /* match on subject alternative name extension names */
2311     private boolean matchSubjectAlternativeNames(X509Certificate xcert) {
2312         if ((subjectAlternativeNames == null) || subjectAlternativeNames.isEmpty()) {
2313             return true;
2314         }
2315         try {
2316             SubjectAlternativeNameExtension sanExt =
2317                 (SubjectAlternativeNameExtension) getExtensionObject(xcert,
2318                                                       SUBJECT_ALT_NAME_ID);
2319             if (sanExt == null) {
2320                 if (debug != null) {
2321                   debug.println("X509CertSelector.match: "
2322                       + "no subject alternative name extension");
2323                 }
2324                 return false;
2325             }
2326             GeneralNames certNames =
2327                     sanExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
2328             Iterator<GeneralNameInterface> i =
2329                                 subjectAlternativeGeneralNames.iterator();
2330             while (i.hasNext()) {
2331                 GeneralNameInterface matchName = i.next();
2332                 boolean found = false;
2333                 for (Iterator<GeneralName> t = certNames.iterator();
2334                                                 t.hasNext() && !found; ) {
2335                     GeneralNameInterface certName = (t.next()).getName();
2336                     found = certName.equals(matchName);
2337                 }
2338                 if (!found && (matchAllSubjectAltNames || !i.hasNext())) {
2339                     if (debug != null) {
2340                       debug.println("X509CertSelector.match: subject alternative "
2341                           + "name " + matchName + " not found");
2342                     }
2343                     return false;
2344                 } else if (found && !matchAllSubjectAltNames) {
2345                     break;
2346                 }
2347             }
2348         } catch (IOException ex) {
2349             if (debug != null)
2350                 debug.println("X509CertSelector.match: IOException in subject "
2351                     + "alternative name check");
2352             return false;
2353         }
2354         return true;
2355     }
2356 
2357     /* match on name constraints */
2358     private boolean matchNameConstraints(X509Certificate xcert) {
2359         if (nc == null) {
2360             return true;
2361         }
2362         try {
2363             if (!nc.verify(xcert)) {
2364                 if (debug != null) {
2365                     debug.println("X509CertSelector.match: "
2366                         + "name constraints not satisfied");
2367                 }
2368                 return false;
2369             }
2370         } catch (IOException e) {
2371             if (debug != null) {
2372                 debug.println("X509CertSelector.match: "
2373                     + "IOException in name constraints check");
2374             }
2375             return false;
2376         }
2377         return true;
2378     }
2379 
2380     /* match on policy OIDs */
2381     private boolean matchPolicy(X509Certificate xcert) {
2382         if (policy == null) {
2383             return true;
2384         }
2385         try {
2386             CertificatePoliciesExtension ext = (CertificatePoliciesExtension)
2387                 getExtensionObject(xcert, CERT_POLICIES_ID);
2388             if (ext == null) {
2389                 if (debug != null) {
2390                   debug.println("X509CertSelector.match: "
2391                       + "no certificate policy extension");
2392                 }
2393                 return false;
2394             }
2395             List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
2396             /*
2397              * Convert the Vector of PolicyInformation to a Vector
2398              * of CertificatePolicyIds for easier comparison.
2399              */
2400             List<CertificatePolicyId> policyIDs = new ArrayList<CertificatePolicyId>(policies.size());
2401             for (PolicyInformation info : policies) {
2402                 policyIDs.add(info.getPolicyIdentifier());
2403             }
2404             if (policy != null) {
2405                 boolean foundOne = false;
2406                 /*
2407                  * if the user passes in an empty policy Set, then
2408                  * we just want to make sure that the candidate certificate
2409                  * has some policy OID in its CertPoliciesExtension
2410                  */
2411                 if (policy.getCertPolicyIds().isEmpty()) {
2412                     if (policyIDs.isEmpty()) {
2413                         if (debug != null) {
2414                             debug.println("X509CertSelector.match: "
2415                                 + "cert failed policyAny criterion");
2416                         }
2417                         return false;
2418                     }
2419                 } else {
2420                     for (CertificatePolicyId id : policy.getCertPolicyIds()) {
2421                         if (policyIDs.contains(id)) {
2422                             foundOne = true;
2423                             break;
2424                         }
2425                     }
2426                     if (!foundOne) {
2427                         if (debug != null) {
2428                             debug.println("X509CertSelector.match: "
2429                                 + "cert failed policyAny criterion");
2430                         }
2431                         return false;
2432                     }
2433                 }
2434             }
2435         } catch (IOException ex) {
2436             if (debug != null) {
2437                 debug.println("X509CertSelector.match: "
2438                     + "IOException in certificate policy ID check");
2439             }
2440             return false;
2441         }
2442         return true;
2443     }
2444 
2445     /* match on pathToNames */
2446     private boolean matchPathToNames(X509Certificate xcert) {
2447         if (pathToGeneralNames == null) {
2448             return true;
2449         }
2450         try {
2451             NameConstraintsExtension ext = (NameConstraintsExtension)
2452                 getExtensionObject(xcert, NAME_CONSTRAINTS_ID);
2453             if (ext == null) {
2454                 return true;
2455             }
2456             if ((debug != null) && Debug.isOn("certpath")) {
2457                 debug.println("X509CertSelector.match pathToNames:\n");
2458                 Iterator<GeneralNameInterface> i =
2459                                         pathToGeneralNames.iterator();
2460                 while (i.hasNext()) {
2461                     debug.println("    " + i.next() + "\n");
2462                 }
2463             }
2464 
2465             GeneralSubtrees permitted =
2466                     ext.get(NameConstraintsExtension.PERMITTED_SUBTREES);
2467             GeneralSubtrees excluded =
2468                     ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
2469             if (excluded != null) {
2470                 if (matchExcluded(excluded) == false) {
2471                     return false;
2472                 }
2473             }
2474             if (permitted != null) {
2475                 if (matchPermitted(permitted) == false) {
2476                     return false;
2477                 }
2478             }
2479         } catch (IOException ex) {
2480             if (debug != null) {
2481                 debug.println("X509CertSelector.match: "
2482                     + "IOException in name constraints check");
2483             }
2484             return false;
2485         }
2486         return true;
2487     }
2488 
2489     private boolean matchExcluded(GeneralSubtrees excluded) {
2490         /*
2491          * Enumerate through excluded and compare each entry
2492          * to all pathToNames. If any pathToName is within any of the
2493          * subtrees listed in excluded, return false.
2494          */
2495         for (Iterator<GeneralSubtree> t = excluded.iterator(); t.hasNext(); ) {
2496             GeneralSubtree tree = t.next();
2497             GeneralNameInterface excludedName = tree.getName().getName();
2498             Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator();
2499             while (i.hasNext()) {
2500                 GeneralNameInterface pathToName = i.next();
2501                 if (excludedName.getType() == pathToName.getType()) {
2502                     switch (pathToName.constrains(excludedName)) {
2503                     case GeneralNameInterface.NAME_WIDENS:
2504                     case GeneralNameInterface.NAME_MATCH:
2505                         if (debug != null) {
2506                             debug.println("X509CertSelector.match: name constraints "
2507                                 + "inhibit path to specified name");
2508                             debug.println("X509CertSelector.match: excluded name: " +
2509                                 pathToName);
2510                         }
2511                         return false;
2512                     default:
2513                     }
2514                 }
2515             }
2516         }
2517         return true;
2518     }
2519 
2520     private boolean matchPermitted(GeneralSubtrees permitted) {
2521         /*
2522          * Enumerate through pathToNames, checking that each pathToName
2523          * is in at least one of the subtrees listed in permitted.
2524          * If not, return false. However, if no subtrees of a given type
2525          * are listed, all names of that type are permitted.
2526          */
2527         Iterator<GeneralNameInterface> i = pathToGeneralNames.iterator();
2528         while (i.hasNext()) {
2529             GeneralNameInterface pathToName = i.next();
2530             Iterator<GeneralSubtree> t = permitted.iterator();
2531             boolean permittedNameFound = false;
2532             boolean nameTypeFound = false;
2533             String names = "";
2534             while (t.hasNext() && !permittedNameFound) {
2535                 GeneralSubtree tree = t.next();
2536                 GeneralNameInterface permittedName = tree.getName().getName();
2537                 if (permittedName.getType() == pathToName.getType()) {
2538                     nameTypeFound = true;
2539                     names = names + "  " + permittedName;
2540                     switch (pathToName.constrains(permittedName)) {
2541                     case GeneralNameInterface.NAME_WIDENS:
2542                     case GeneralNameInterface.NAME_MATCH:
2543                         permittedNameFound = true;
2544                         break;
2545                     default:
2546                     }
2547                 }
2548             }
2549             if (!permittedNameFound && nameTypeFound) {
2550                 if (debug != null)
2551                   debug.println("X509CertSelector.match: " +
2552                             "name constraints inhibit path to specified name; " +
2553                             "permitted names of type " + pathToName.getType() +
2554                             ": " + names);
2555                 return false;
2556             }
2557         }
2558         return true;
2559     }
2560 
2561     /* match on basic constraints */
2562     private boolean matchBasicConstraints(X509Certificate xcert) {
2563         if (basicConstraints == -1) {
2564             return true;
2565         }
2566         int maxPathLen = xcert.getBasicConstraints();
2567         if (basicConstraints == -2) {
2568             if (maxPathLen != -1) {
2569                 if (debug != null) {
2570                     debug.println("X509CertSelector.match: not an EE cert");
2571                 }
2572                 return false;
2573             }
2574         } else {
2575             if (maxPathLen < basicConstraints) {
2576                 if (debug != null) {
2577                     debug.println("X509CertSelector.match: maxPathLen too small ("
2578                         + maxPathLen + " < " + basicConstraints + ")");
2579                 }
2580                 return false;
2581             }
2582         }
2583         return true;
2584     }
2585 
2586     @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly
2587     private static <T> Set<T> cloneSet(Set<T> set) {
2588         if (set instanceof HashSet) {
2589             Object clone = ((HashSet<T>)set).clone();
2590             return (Set<T>)clone;
2591         } else {
2592             return new HashSet<T>(set);
2593         }
2594     }
2595 
2596     /**
2597      * Returns a copy of this object.
2598      *
2599      * @return the copy
2600      */
2601     public Object clone() {
2602         try {
2603             X509CertSelector copy = (X509CertSelector)super.clone();
2604             // Must clone these because addPathToName et al. modify them
2605             if (subjectAlternativeNames != null) {
2606                 copy.subjectAlternativeNames =
2607                         cloneSet(subjectAlternativeNames);
2608                 copy.subjectAlternativeGeneralNames =
2609                         cloneSet(subjectAlternativeGeneralNames);
2610             }
2611             if (pathToGeneralNames != null) {
2612                 copy.pathToNames = cloneSet(pathToNames);
2613                 copy.pathToGeneralNames = cloneSet(pathToGeneralNames);
2614             }
2615             return copy;
2616         } catch (CloneNotSupportedException e) {
2617             /* Cannot happen */
2618             throw new InternalError(e.toString(), e);
2619         }
2620     }
2621 }