1 /* 2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.BufferedReader; 29 import java.io.BufferedInputStream; 30 import java.io.ByteArrayOutputStream; 31 import java.io.IOException; 32 import java.io.InputStream; 33 import java.io.InputStreamReader; 34 import java.io.OutputStream; 35 import java.math.BigInteger; 36 import java.security.*; 37 import java.security.cert.*; 38 import java.security.cert.Certificate; 39 import java.util.*; 40 import java.util.concurrent.ConcurrentHashMap; 41 42 import javax.security.auth.x500.X500Principal; 43 44 import sun.security.util.HexDumpEncoder; 45 import java.util.Base64; 46 import sun.security.util.*; 47 import sun.security.provider.X509Factory; 48 49 /** 50 * The X509CertImpl class represents an X.509 certificate. These certificates 51 * are widely used to support authentication and other functionality in 52 * Internet security systems. Common applications include Privacy Enhanced 53 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted 54 * software distribution, and Secure Electronic Transactions (SET). There 55 * is a commercial infrastructure ready to manage large scale deployments 56 * of X.509 identity certificates. 57 * 58 * <P>These certificates are managed and vouched for by <em>Certificate 59 * Authorities</em> (CAs). CAs are services which create certificates by 60 * placing data in the X.509 standard format and then digitally signing 61 * that data. Such signatures are quite difficult to forge. CAs act as 62 * trusted third parties, making introductions between agents who have no 63 * direct knowledge of each other. CA certificates are either signed by 64 * themselves, or by some other CA such as a "root" CA. 65 * 66 * <P>RFC 1422 is very informative, though it does not describe much 67 * of the recent work being done with X.509 certificates. That includes 68 * a 1996 version (X.509v3) and a variety of enhancements being made to 69 * facilitate an explosion of personal certificates used as "Internet 70 * Drivers' Licences", or with SET for credit card transactions. 71 * 72 * <P>More recent work includes the IETF PKIX Working Group efforts, 73 * especially RFC2459. 74 * 75 * @author Dave Brownell 76 * @author Amit Kapoor 77 * @author Hemma Prafullchandra 78 * @see X509CertInfo 79 */ 80 public class X509CertImpl extends X509Certificate implements DerEncoder { 81 82 private static final long serialVersionUID = -3457612960190864406L; 83 84 private static final char DOT = '.'; 85 /** 86 * Public attribute names. 87 */ 88 public static final String NAME = "x509"; 89 public static final String INFO = X509CertInfo.NAME; 90 public static final String ALG_ID = "algorithm"; 91 public static final String SIGNATURE = "signature"; 92 public static final String SIGNED_CERT = "signed_cert"; 93 94 /** 95 * The following are defined for ease-of-use. These 96 * are the most frequently retrieved attributes. 97 */ 98 // x509.info.subject.dname 99 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT + 100 X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME; 101 // x509.info.issuer.dname 102 public static final String ISSUER_DN = NAME + DOT + INFO + DOT + 103 X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME; 104 // x509.info.serialNumber.number 105 public static final String SERIAL_ID = NAME + DOT + INFO + DOT + 106 X509CertInfo.SERIAL_NUMBER + DOT + 107 CertificateSerialNumber.NUMBER; 108 // x509.info.key.value 109 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT + 110 X509CertInfo.KEY + DOT + 111 CertificateX509Key.KEY; 112 113 // x509.info.version.value 114 public static final String VERSION = NAME + DOT + INFO + DOT + 115 X509CertInfo.VERSION + DOT + 116 CertificateVersion.VERSION; 117 118 // x509.algorithm 119 public static final String SIG_ALG = NAME + DOT + ALG_ID; 120 121 // x509.signature 122 public static final String SIG = NAME + DOT + SIGNATURE; 123 124 // when we sign and decode we set this to true 125 // this is our means to make certificates immutable 126 private boolean readOnly = false; 127 128 // Certificate data, and its envelope 129 private byte[] signedCert = null; 130 protected X509CertInfo info = null; 131 protected AlgorithmId algId = null; 132 protected byte[] signature = null; 133 134 // recognized extension OIDS 135 private static final String KEY_USAGE_OID = "2.5.29.15"; 136 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37"; 137 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19"; 138 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17"; 139 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18"; 140 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1"; 141 142 // number of standard key usage bits. 143 private static final int NUM_STANDARD_KEY_USAGE = 9; 144 145 // SubjectAlterntativeNames cache 146 private Collection<List<?>> subjectAlternativeNames; 147 148 // IssuerAlternativeNames cache 149 private Collection<List<?>> issuerAlternativeNames; 150 151 // ExtendedKeyUsage cache 152 private List<String> extKeyUsage; 153 154 // AuthorityInformationAccess cache 155 private Set<AccessDescription> authInfoAccess; 156 157 /** 158 * PublicKey that has previously been used to verify 159 * the signature of this certificate. Null if the certificate has not 160 * yet been verified. 161 */ 162 private PublicKey verifiedPublicKey; 163 /** 164 * If verifiedPublicKey is not null, name of the provider used to 165 * successfully verify the signature of this certificate, or the 166 * empty String if no provider was explicitly specified. 167 */ 168 private String verifiedProvider; 169 /** 170 * If verifiedPublicKey is not null, result of the verification using 171 * verifiedPublicKey and verifiedProvider. If true, verification was 172 * successful, if false, it failed. 173 */ 174 private boolean verificationResult; 175 176 /** 177 * Default constructor. 178 */ 179 public X509CertImpl() { } 180 181 /** 182 * Unmarshals a certificate from its encoded form, parsing the 183 * encoded bytes. This form of constructor is used by agents which 184 * need to examine and use certificate contents. That is, this is 185 * one of the more commonly used constructors. Note that the buffer 186 * must include only a certificate, and no "garbage" may be left at 187 * the end. If you need to ignore data at the end of a certificate, 188 * use another constructor. 189 * 190 * @param certData the encoded bytes, with no trailing padding. 191 * @exception CertificateException on parsing and initialization errors. 192 */ 193 public X509CertImpl(byte[] certData) throws CertificateException { 194 try { 195 parse(new DerValue(certData)); 196 } catch (IOException e) { 197 signedCert = null; 198 throw new CertificateException("Unable to initialize, " + e, e); 199 } 200 } 201 202 /** 203 * unmarshals an X.509 certificate from an input stream. If the 204 * certificate is RFC1421 hex-encoded, then it must begin with 205 * the line X509Factory.BEGIN_CERT and end with the line 206 * X509Factory.END_CERT. 207 * 208 * @param in an input stream holding at least one certificate that may 209 * be either DER-encoded or RFC1421 hex-encoded version of the 210 * DER-encoded certificate. 211 * @exception CertificateException on parsing and initialization errors. 212 */ 213 public X509CertImpl(InputStream in) throws CertificateException { 214 215 DerValue der = null; 216 217 BufferedInputStream inBuffered = new BufferedInputStream(in); 218 219 // First try reading stream as HEX-encoded DER-encoded bytes, 220 // since not mistakable for raw DER 221 try { 222 inBuffered.mark(Integer.MAX_VALUE); 223 der = readRFC1421Cert(inBuffered); 224 } catch (IOException ioe) { 225 try { 226 // Next, try reading stream as raw DER-encoded bytes 227 inBuffered.reset(); 228 der = new DerValue(inBuffered); 229 } catch (IOException ioe1) { 230 throw new CertificateException("Input stream must be " + 231 "either DER-encoded bytes " + 232 "or RFC1421 hex-encoded " + 233 "DER-encoded bytes: " + 234 ioe1.getMessage(), ioe1); 235 } 236 } 237 try { 238 parse(der); 239 } catch (IOException ioe) { 240 signedCert = null; 241 throw new CertificateException("Unable to parse DER value of " + 242 "certificate, " + ioe, ioe); 243 } 244 } 245 246 /** 247 * read input stream as HEX-encoded DER-encoded bytes 248 * 249 * @param in InputStream to read 250 * @return DerValue corresponding to decoded HEX-encoded bytes 251 * @throws IOException if stream can not be interpreted as RFC1421 252 * encoded bytes 253 */ 254 private DerValue readRFC1421Cert(InputStream in) throws IOException { 255 DerValue der = null; 256 String line = null; 257 BufferedReader certBufferedReader = 258 new BufferedReader(new InputStreamReader(in, "ASCII")); 259 try { 260 line = certBufferedReader.readLine(); 261 } catch (IOException ioe1) { 262 throw new IOException("Unable to read InputStream: " + 263 ioe1.getMessage()); 264 } 265 if (line.equals(X509Factory.BEGIN_CERT)) { 266 /* stream appears to be hex-encoded bytes */ 267 ByteArrayOutputStream decstream = new ByteArrayOutputStream(); 268 try { 269 while ((line = certBufferedReader.readLine()) != null) { 270 if (line.equals(X509Factory.END_CERT)) { 271 der = new DerValue(decstream.toByteArray()); 272 break; 273 } else { 274 decstream.write(Pem.decode(line)); 275 } 276 } 277 } catch (IOException ioe2) { 278 throw new IOException("Unable to read InputStream: " 279 + ioe2.getMessage()); 280 } 281 } else { 282 throw new IOException("InputStream is not RFC1421 hex-encoded " + 283 "DER bytes"); 284 } 285 return der; 286 } 287 288 /** 289 * Construct an initialized X509 Certificate. The certificate is stored 290 * in raw form and has to be signed to be useful. 291 * 292 * @param certInfo the X509CertificateInfo which the Certificate is to be 293 * created from. 294 */ 295 public X509CertImpl(X509CertInfo certInfo) { 296 this.info = certInfo; 297 } 298 299 /** 300 * Unmarshal a certificate from its encoded form, parsing a DER value. 301 * This form of constructor is used by agents which need to examine 302 * and use certificate contents. 303 * 304 * @param derVal the der value containing the encoded cert. 305 * @exception CertificateException on parsing and initialization errors. 306 */ 307 public X509CertImpl(DerValue derVal) throws CertificateException { 308 try { 309 parse(derVal); 310 } catch (IOException e) { 311 signedCert = null; 312 throw new CertificateException("Unable to initialize, " + e, e); 313 } 314 } 315 316 /** 317 * Appends the certificate to an output stream. 318 * 319 * @param out an input stream to which the certificate is appended. 320 * @exception CertificateEncodingException on encoding errors. 321 */ 322 public void encode(OutputStream out) 323 throws CertificateEncodingException { 324 if (signedCert == null) 325 throw new CertificateEncodingException( 326 "Null certificate to encode"); 327 try { 328 out.write(signedCert.clone()); 329 } catch (IOException e) { 330 throw new CertificateEncodingException(e.toString()); 331 } 332 } 333 334 /** 335 * DER encode this object onto an output stream. 336 * Implements the <code>DerEncoder</code> interface. 337 * 338 * @param out the output stream on which to write the DER encoding. 339 * 340 * @exception IOException on encoding error. 341 */ 342 public void derEncode(OutputStream out) throws IOException { 343 if (signedCert == null) 344 throw new IOException("Null certificate to encode"); 345 out.write(signedCert.clone()); 346 } 347 348 /** 349 * Returns the encoded form of this certificate. It is 350 * assumed that each certificate type would have only a single 351 * form of encoding; for example, X.509 certificates would 352 * be encoded as ASN.1 DER. 353 * 354 * @exception CertificateEncodingException if an encoding error occurs. 355 */ 356 public byte[] getEncoded() throws CertificateEncodingException { 357 return getEncodedInternal().clone(); 358 } 359 360 /** 361 * Returned the encoding as an uncloned byte array. Callers must 362 * guarantee that they neither modify it nor expose it to untrusted 363 * code. 364 */ 365 public byte[] getEncodedInternal() throws CertificateEncodingException { 366 if (signedCert == null) { 367 throw new CertificateEncodingException( 368 "Null certificate to encode"); 369 } 370 return signedCert; 371 } 372 373 /** 374 * Throws an exception if the certificate was not signed using the 375 * verification key provided. Successfully verifying a certificate 376 * does <em>not</em> indicate that one should trust the entity which 377 * it represents. 378 * 379 * @param key the public key used for verification. 380 * 381 * @exception InvalidKeyException on incorrect key. 382 * @exception NoSuchAlgorithmException on unsupported signature 383 * algorithms. 384 * @exception NoSuchProviderException if there's no default provider. 385 * @exception SignatureException on signature errors. 386 * @exception CertificateException on encoding errors. 387 */ 388 public void verify(PublicKey key) 389 throws CertificateException, NoSuchAlgorithmException, 390 InvalidKeyException, NoSuchProviderException, SignatureException { 391 392 verify(key, ""); 393 } 394 395 /** 396 * Throws an exception if the certificate was not signed using the 397 * verification key provided. Successfully verifying a certificate 398 * does <em>not</em> indicate that one should trust the entity which 399 * it represents. 400 * 401 * @param key the public key used for verification. 402 * @param sigProvider the name of the provider. 403 * 404 * @exception NoSuchAlgorithmException on unsupported signature 405 * algorithms. 406 * @exception InvalidKeyException on incorrect key. 407 * @exception NoSuchProviderException on incorrect provider. 408 * @exception SignatureException on signature errors. 409 * @exception CertificateException on encoding errors. 410 */ 411 public synchronized void verify(PublicKey key, String sigProvider) 412 throws CertificateException, NoSuchAlgorithmException, 413 InvalidKeyException, NoSuchProviderException, SignatureException { 414 if (sigProvider == null) { 415 sigProvider = ""; 416 } 417 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { 418 // this certificate has already been verified using 419 // this public key. Make sure providers match, too. 420 if (sigProvider.equals(verifiedProvider)) { 421 if (verificationResult) { 422 return; 423 } else { 424 throw new SignatureException("Signature does not match."); 425 } 426 } 427 } 428 if (signedCert == null) { 429 throw new CertificateEncodingException("Uninitialized certificate"); 430 } 431 // Verify the signature ... 432 Signature sigVerf = null; 433 if (sigProvider.length() == 0) { 434 sigVerf = Signature.getInstance(algId.getName()); 435 } else { 436 sigVerf = Signature.getInstance(algId.getName(), sigProvider); 437 } 438 sigVerf.initVerify(key); 439 440 byte[] rawCert = info.getEncodedInfo(); 441 sigVerf.update(rawCert, 0, rawCert.length); 442 443 // verify may throw SignatureException for invalid encodings, etc. 444 verificationResult = sigVerf.verify(signature); 445 verifiedPublicKey = key; 446 verifiedProvider = sigProvider; 447 448 if (verificationResult == false) { 449 throw new SignatureException("Signature does not match."); 450 } 451 } 452 453 /** 454 * Throws an exception if the certificate was not signed using the 455 * verification key provided. This method uses the signature verification 456 * engine supplied by the specified provider. Note that the specified 457 * Provider object does not have to be registered in the provider list. 458 * Successfully verifying a certificate does <em>not</em> indicate that one 459 * should trust the entity which it represents. 460 * 461 * @param key the public key used for verification. 462 * @param sigProvider the provider. 463 * 464 * @exception NoSuchAlgorithmException on unsupported signature 465 * algorithms. 466 * @exception InvalidKeyException on incorrect key. 467 * @exception SignatureException on signature errors. 468 * @exception CertificateException on encoding errors. 469 */ 470 public synchronized void verify(PublicKey key, Provider sigProvider) 471 throws CertificateException, NoSuchAlgorithmException, 472 InvalidKeyException, SignatureException { 473 if (signedCert == null) { 474 throw new CertificateEncodingException("Uninitialized certificate"); 475 } 476 // Verify the signature ... 477 Signature sigVerf = null; 478 if (sigProvider == null) { 479 sigVerf = Signature.getInstance(algId.getName()); 480 } else { 481 sigVerf = Signature.getInstance(algId.getName(), sigProvider); 482 } 483 sigVerf.initVerify(key); 484 485 byte[] rawCert = info.getEncodedInfo(); 486 sigVerf.update(rawCert, 0, rawCert.length); 487 488 // verify may throw SignatureException for invalid encodings, etc. 489 verificationResult = sigVerf.verify(signature); 490 verifiedPublicKey = key; 491 492 if (verificationResult == false) { 493 throw new SignatureException("Signature does not match."); 494 } 495 } 496 497 /** 498 * Creates an X.509 certificate, and signs it using the given key 499 * (associating a signature algorithm and an X.500 name). 500 * This operation is used to implement the certificate generation 501 * functionality of a certificate authority. 502 * 503 * @param key the private key used for signing. 504 * @param algorithm the name of the signature algorithm used. 505 * 506 * @exception InvalidKeyException on incorrect key. 507 * @exception NoSuchAlgorithmException on unsupported signature 508 * algorithms. 509 * @exception NoSuchProviderException if there's no default provider. 510 * @exception SignatureException on signature errors. 511 * @exception CertificateException on encoding errors. 512 */ 513 public void sign(PrivateKey key, String algorithm) 514 throws CertificateException, NoSuchAlgorithmException, 515 InvalidKeyException, NoSuchProviderException, SignatureException { 516 sign(key, algorithm, null); 517 } 518 519 /** 520 * Creates an X.509 certificate, and signs it using the given key 521 * (associating a signature algorithm and an X.500 name). 522 * This operation is used to implement the certificate generation 523 * functionality of a certificate authority. 524 * 525 * @param key the private key used for signing. 526 * @param algorithm the name of the signature algorithm used. 527 * @param provider the name of the provider. 528 * 529 * @exception NoSuchAlgorithmException on unsupported signature 530 * algorithms. 531 * @exception InvalidKeyException on incorrect key. 532 * @exception NoSuchProviderException on incorrect provider. 533 * @exception SignatureException on signature errors. 534 * @exception CertificateException on encoding errors. 535 */ 536 public void sign(PrivateKey key, String algorithm, String provider) 537 throws CertificateException, NoSuchAlgorithmException, 538 InvalidKeyException, NoSuchProviderException, SignatureException { 539 try { 540 if (readOnly) 541 throw new CertificateEncodingException( 542 "cannot over-write existing certificate"); 543 Signature sigEngine = null; 544 if ((provider == null) || (provider.length() == 0)) 545 sigEngine = Signature.getInstance(algorithm); 546 else 547 sigEngine = Signature.getInstance(algorithm, provider); 548 549 sigEngine.initSign(key); 550 551 // in case the name is reset 552 algId = AlgorithmId.get(sigEngine.getAlgorithm()); 553 554 DerOutputStream out = new DerOutputStream(); 555 DerOutputStream tmp = new DerOutputStream(); 556 557 // encode certificate info 558 info.encode(tmp); 559 byte[] rawCert = tmp.toByteArray(); 560 561 // encode algorithm identifier 562 algId.encode(tmp); 563 564 // Create and encode the signature itself. 565 sigEngine.update(rawCert, 0, rawCert.length); 566 signature = sigEngine.sign(); 567 tmp.putBitString(signature); 568 569 // Wrap the signed data in a SEQUENCE { data, algorithm, sig } 570 out.write(DerValue.tag_Sequence, tmp); 571 signedCert = out.toByteArray(); 572 readOnly = true; 573 574 } catch (IOException e) { 575 throw new CertificateEncodingException(e.toString()); 576 } 577 } 578 579 /** 580 * Checks that the certificate is currently valid, i.e. the current 581 * time is within the specified validity period. 582 * 583 * @exception CertificateExpiredException if the certificate has expired. 584 * @exception CertificateNotYetValidException if the certificate is not 585 * yet valid. 586 */ 587 public void checkValidity() 588 throws CertificateExpiredException, CertificateNotYetValidException { 589 Date date = new Date(); 590 checkValidity(date); 591 } 592 593 /** 594 * Checks that the specified date is within the certificate's 595 * validity period, or basically if the certificate would be 596 * valid at the specified date/time. 597 * 598 * @param date the Date to check against to see if this certificate 599 * is valid at that date/time. 600 * 601 * @exception CertificateExpiredException if the certificate has expired 602 * with respect to the <code>date</code> supplied. 603 * @exception CertificateNotYetValidException if the certificate is not 604 * yet valid with respect to the <code>date</code> supplied. 605 */ 606 public void checkValidity(Date date) 607 throws CertificateExpiredException, CertificateNotYetValidException { 608 609 CertificateValidity interval = null; 610 try { 611 interval = (CertificateValidity)info.get(CertificateValidity.NAME); 612 } catch (Exception e) { 613 throw new CertificateNotYetValidException("Incorrect validity period"); 614 } 615 if (interval == null) 616 throw new CertificateNotYetValidException("Null validity period"); 617 interval.valid(date); 618 } 619 620 /** 621 * Return the requested attribute from the certificate. 622 * 623 * Note that the X509CertInfo is not cloned for performance reasons. 624 * Callers must ensure that they do not modify it. All other 625 * attributes are cloned. 626 * 627 * @param name the name of the attribute. 628 * @exception CertificateParsingException on invalid attribute identifier. 629 */ 630 public Object get(String name) 631 throws CertificateParsingException { 632 X509AttributeName attr = new X509AttributeName(name); 633 String id = attr.getPrefix(); 634 if (!(id.equalsIgnoreCase(NAME))) { 635 throw new CertificateParsingException("Invalid root of " 636 + "attribute name, expected [" + NAME + 637 "], received " + "[" + id + "]"); 638 } 639 attr = new X509AttributeName(attr.getSuffix()); 640 id = attr.getPrefix(); 641 642 if (id.equalsIgnoreCase(INFO)) { 643 if (info == null) { 644 return null; 645 } 646 if (attr.getSuffix() != null) { 647 try { 648 return info.get(attr.getSuffix()); 649 } catch (IOException e) { 650 throw new CertificateParsingException(e.toString()); 651 } catch (CertificateException e) { 652 throw new CertificateParsingException(e.toString()); 653 } 654 } else { 655 return info; 656 } 657 } else if (id.equalsIgnoreCase(ALG_ID)) { 658 return(algId); 659 } else if (id.equalsIgnoreCase(SIGNATURE)) { 660 if (signature != null) 661 return signature.clone(); 662 else 663 return null; 664 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 665 if (signedCert != null) 666 return signedCert.clone(); 667 else 668 return null; 669 } else { 670 throw new CertificateParsingException("Attribute name not " 671 + "recognized or get() not allowed for the same: " + id); 672 } 673 } 674 675 /** 676 * Set the requested attribute in the certificate. 677 * 678 * @param name the name of the attribute. 679 * @param obj the value of the attribute. 680 * @exception CertificateException on invalid attribute identifier. 681 * @exception IOException on encoding error of attribute. 682 */ 683 public void set(String name, Object obj) 684 throws CertificateException, IOException { 685 // check if immutable 686 if (readOnly) 687 throw new CertificateException("cannot over-write existing" 688 + " certificate"); 689 690 X509AttributeName attr = new X509AttributeName(name); 691 String id = attr.getPrefix(); 692 if (!(id.equalsIgnoreCase(NAME))) { 693 throw new CertificateException("Invalid root of attribute name," 694 + " expected [" + NAME + "], received " + id); 695 } 696 attr = new X509AttributeName(attr.getSuffix()); 697 id = attr.getPrefix(); 698 699 if (id.equalsIgnoreCase(INFO)) { 700 if (attr.getSuffix() == null) { 701 if (!(obj instanceof X509CertInfo)) { 702 throw new CertificateException("Attribute value should" 703 + " be of type X509CertInfo."); 704 } 705 info = (X509CertInfo)obj; 706 signedCert = null; //reset this as certificate data has changed 707 } else { 708 info.set(attr.getSuffix(), obj); 709 signedCert = null; //reset this as certificate data has changed 710 } 711 } else { 712 throw new CertificateException("Attribute name not recognized or " + 713 "set() not allowed for the same: " + id); 714 } 715 } 716 717 /** 718 * Delete the requested attribute from the certificate. 719 * 720 * @param name the name of the attribute. 721 * @exception CertificateException on invalid attribute identifier. 722 * @exception IOException on other errors. 723 */ 724 public void delete(String name) 725 throws CertificateException, IOException { 726 // check if immutable 727 if (readOnly) 728 throw new CertificateException("cannot over-write existing" 729 + " certificate"); 730 731 X509AttributeName attr = new X509AttributeName(name); 732 String id = attr.getPrefix(); 733 if (!(id.equalsIgnoreCase(NAME))) { 734 throw new CertificateException("Invalid root of attribute name," 735 + " expected [" 736 + NAME + "], received " + id); 737 } 738 attr = new X509AttributeName(attr.getSuffix()); 739 id = attr.getPrefix(); 740 741 if (id.equalsIgnoreCase(INFO)) { 742 if (attr.getSuffix() != null) { 743 info = null; 744 } else { 745 info.delete(attr.getSuffix()); 746 } 747 } else if (id.equalsIgnoreCase(ALG_ID)) { 748 algId = null; 749 } else if (id.equalsIgnoreCase(SIGNATURE)) { 750 signature = null; 751 } else if (id.equalsIgnoreCase(SIGNED_CERT)) { 752 signedCert = null; 753 } else { 754 throw new CertificateException("Attribute name not recognized or " + 755 "delete() not allowed for the same: " + id); 756 } 757 } 758 759 /** 760 * Return an enumeration of names of attributes existing within this 761 * attribute. 762 */ 763 public Enumeration<String> getElements() { 764 AttributeNameEnumeration elements = new AttributeNameEnumeration(); 765 elements.addElement(NAME + DOT + INFO); 766 elements.addElement(NAME + DOT + ALG_ID); 767 elements.addElement(NAME + DOT + SIGNATURE); 768 elements.addElement(NAME + DOT + SIGNED_CERT); 769 770 return elements.elements(); 771 } 772 773 /** 774 * Return the name of this attribute. 775 */ 776 public String getName() { 777 return(NAME); 778 } 779 780 /** 781 * Returns a printable representation of the certificate. This does not 782 * contain all the information available to distinguish this from any 783 * other certificate. The certificate must be fully constructed 784 * before this function may be called. 785 */ 786 public String toString() { 787 if (info == null || algId == null || signature == null) 788 return ""; 789 790 HexDumpEncoder encoder = new HexDumpEncoder(); 791 return "[\n" + info + '\n' + 792 " Algorithm: [" + algId + "]\n" + 793 " Signature:\n" + encoder.encodeBuffer(signature) + "\n]"; 794 } 795 796 // the strongly typed gets, as per java.security.cert.X509Certificate 797 798 /** 799 * Gets the publickey from this certificate. 800 * 801 * @return the publickey. 802 */ 803 public PublicKey getPublicKey() { 804 if (info == null) 805 return null; 806 try { 807 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME 808 + DOT + CertificateX509Key.KEY); 809 return key; 810 } catch (Exception e) { 811 return null; 812 } 813 } 814 815 /** 816 * Gets the version number from the certificate. 817 * 818 * @return the version number, i.e. 1, 2 or 3. 819 */ 820 public int getVersion() { 821 if (info == null) 822 return -1; 823 try { 824 int vers = ((Integer)info.get(CertificateVersion.NAME 825 + DOT + CertificateVersion.VERSION)).intValue(); 826 return vers+1; 827 } catch (Exception e) { 828 return -1; 829 } 830 } 831 832 /** 833 * Gets the serial number from the certificate. 834 * 835 * @return the serial number. 836 */ 837 public BigInteger getSerialNumber() { 838 SerialNumber ser = getSerialNumberObject(); 839 840 return ser != null ? ser.getNumber() : null; 841 } 842 843 /** 844 * Gets the serial number from the certificate as 845 * a SerialNumber object. 846 * 847 * @return the serial number. 848 */ 849 public SerialNumber getSerialNumberObject() { 850 if (info == null) 851 return null; 852 try { 853 SerialNumber ser = (SerialNumber)info.get( 854 CertificateSerialNumber.NAME + DOT + 855 CertificateSerialNumber.NUMBER); 856 return ser; 857 } catch (Exception e) { 858 return null; 859 } 860 } 861 862 863 /** 864 * Gets the subject distinguished name from the certificate. 865 * 866 * @return the subject name. 867 */ 868 public Principal getSubjectDN() { 869 if (info == null) 870 return null; 871 try { 872 Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT + 873 X509CertInfo.DN_NAME); 874 return subject; 875 } catch (Exception e) { 876 return null; 877 } 878 } 879 880 /** 881 * Get subject name as X500Principal. Overrides implementation in 882 * X509Certificate with a slightly more efficient version that is 883 * also aware of X509CertImpl mutability. 884 */ 885 public X500Principal getSubjectX500Principal() { 886 if (info == null) { 887 return null; 888 } 889 try { 890 X500Principal subject = (X500Principal)info.get( 891 X509CertInfo.SUBJECT + DOT + 892 "x500principal"); 893 return subject; 894 } catch (Exception e) { 895 return null; 896 } 897 } 898 899 /** 900 * Gets the issuer distinguished name from the certificate. 901 * 902 * @return the issuer name. 903 */ 904 public Principal getIssuerDN() { 905 if (info == null) 906 return null; 907 try { 908 Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT + 909 X509CertInfo.DN_NAME); 910 return issuer; 911 } catch (Exception e) { 912 return null; 913 } 914 } 915 916 /** 917 * Get issuer name as X500Principal. Overrides implementation in 918 * X509Certificate with a slightly more efficient version that is 919 * also aware of X509CertImpl mutability. 920 */ 921 public X500Principal getIssuerX500Principal() { 922 if (info == null) { 923 return null; 924 } 925 try { 926 X500Principal issuer = (X500Principal)info.get( 927 X509CertInfo.ISSUER + DOT + 928 "x500principal"); 929 return issuer; 930 } catch (Exception e) { 931 return null; 932 } 933 } 934 935 /** 936 * Gets the notBefore date from the validity period of the certificate. 937 * 938 * @return the start date of the validity period. 939 */ 940 public Date getNotBefore() { 941 if (info == null) 942 return null; 943 try { 944 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 945 CertificateValidity.NOT_BEFORE); 946 return d; 947 } catch (Exception e) { 948 return null; 949 } 950 } 951 952 /** 953 * Gets the notAfter date from the validity period of the certificate. 954 * 955 * @return the end date of the validity period. 956 */ 957 public Date getNotAfter() { 958 if (info == null) 959 return null; 960 try { 961 Date d = (Date) info.get(CertificateValidity.NAME + DOT + 962 CertificateValidity.NOT_AFTER); 963 return d; 964 } catch (Exception e) { 965 return null; 966 } 967 } 968 969 /** 970 * Gets the DER encoded certificate informations, the 971 * <code>tbsCertificate</code> from this certificate. 972 * This can be used to verify the signature independently. 973 * 974 * @return the DER encoded certificate information. 975 * @exception CertificateEncodingException if an encoding error occurs. 976 */ 977 public byte[] getTBSCertificate() throws CertificateEncodingException { 978 if (info != null) { 979 return info.getEncodedInfo(); 980 } else 981 throw new CertificateEncodingException("Uninitialized certificate"); 982 } 983 984 /** 985 * Gets the raw Signature bits from the certificate. 986 * 987 * @return the signature. 988 */ 989 public byte[] getSignature() { 990 if (signature == null) 991 return null; 992 return signature.clone(); 993 } 994 995 /** 996 * Gets the signature algorithm name for the certificate 997 * signature algorithm. 998 * For example, the string "SHA-1/DSA" or "DSS". 999 * 1000 * @return the signature algorithm name. 1001 */ 1002 public String getSigAlgName() { 1003 if (algId == null) 1004 return null; 1005 return (algId.getName()); 1006 } 1007 1008 /** 1009 * Gets the signature algorithm OID string from the certificate. 1010 * For example, the string "1.2.840.10040.4.3" 1011 * 1012 * @return the signature algorithm oid string. 1013 */ 1014 public String getSigAlgOID() { 1015 if (algId == null) 1016 return null; 1017 ObjectIdentifier oid = algId.getOID(); 1018 return (oid.toString()); 1019 } 1020 1021 /** 1022 * Gets the DER encoded signature algorithm parameters from this 1023 * certificate's signature algorithm. 1024 * 1025 * @return the DER encoded signature algorithm parameters, or 1026 * null if no parameters are present. 1027 */ 1028 public byte[] getSigAlgParams() { 1029 if (algId == null) 1030 return null; 1031 try { 1032 return algId.getEncodedParams(); 1033 } catch (IOException e) { 1034 return null; 1035 } 1036 } 1037 1038 /** 1039 * Gets the Issuer Unique Identity from the certificate. 1040 * 1041 * @return the Issuer Unique Identity. 1042 */ 1043 public boolean[] getIssuerUniqueID() { 1044 if (info == null) 1045 return null; 1046 try { 1047 UniqueIdentity id = (UniqueIdentity)info.get( 1048 X509CertInfo.ISSUER_ID); 1049 if (id == null) 1050 return null; 1051 else 1052 return (id.getId()); 1053 } catch (Exception e) { 1054 return null; 1055 } 1056 } 1057 1058 /** 1059 * Gets the Subject Unique Identity from the certificate. 1060 * 1061 * @return the Subject Unique Identity. 1062 */ 1063 public boolean[] getSubjectUniqueID() { 1064 if (info == null) 1065 return null; 1066 try { 1067 UniqueIdentity id = (UniqueIdentity)info.get( 1068 X509CertInfo.SUBJECT_ID); 1069 if (id == null) 1070 return null; 1071 else 1072 return (id.getId()); 1073 } catch (Exception e) { 1074 return null; 1075 } 1076 } 1077 1078 public KeyIdentifier getAuthKeyId() { 1079 AuthorityKeyIdentifierExtension aki 1080 = getAuthorityKeyIdentifierExtension(); 1081 if (aki != null) { 1082 try { 1083 return (KeyIdentifier)aki.get( 1084 AuthorityKeyIdentifierExtension.KEY_ID); 1085 } catch (IOException ioe) {} // not possible 1086 } 1087 return null; 1088 } 1089 1090 /** 1091 * Returns the subject's key identifier, or null 1092 */ 1093 public KeyIdentifier getSubjectKeyId() { 1094 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension(); 1095 if (ski != null) { 1096 try { 1097 return ski.get(SubjectKeyIdentifierExtension.KEY_ID); 1098 } catch (IOException ioe) {} // not possible 1099 } 1100 return null; 1101 } 1102 1103 /** 1104 * Get AuthorityKeyIdentifier extension 1105 * @return AuthorityKeyIdentifier object or null (if no such object 1106 * in certificate) 1107 */ 1108 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension() 1109 { 1110 return (AuthorityKeyIdentifierExtension) 1111 getExtension(PKIXExtensions.AuthorityKey_Id); 1112 } 1113 1114 /** 1115 * Get BasicConstraints extension 1116 * @return BasicConstraints object or null (if no such object in 1117 * certificate) 1118 */ 1119 public BasicConstraintsExtension getBasicConstraintsExtension() { 1120 return (BasicConstraintsExtension) 1121 getExtension(PKIXExtensions.BasicConstraints_Id); 1122 } 1123 1124 /** 1125 * Get CertificatePoliciesExtension 1126 * @return CertificatePoliciesExtension or null (if no such object in 1127 * certificate) 1128 */ 1129 public CertificatePoliciesExtension getCertificatePoliciesExtension() { 1130 return (CertificatePoliciesExtension) 1131 getExtension(PKIXExtensions.CertificatePolicies_Id); 1132 } 1133 1134 /** 1135 * Get ExtendedKeyUsage extension 1136 * @return ExtendedKeyUsage extension object or null (if no such object 1137 * in certificate) 1138 */ 1139 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() { 1140 return (ExtendedKeyUsageExtension) 1141 getExtension(PKIXExtensions.ExtendedKeyUsage_Id); 1142 } 1143 1144 /** 1145 * Get IssuerAlternativeName extension 1146 * @return IssuerAlternativeName object or null (if no such object in 1147 * certificate) 1148 */ 1149 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() { 1150 return (IssuerAlternativeNameExtension) 1151 getExtension(PKIXExtensions.IssuerAlternativeName_Id); 1152 } 1153 1154 /** 1155 * Get NameConstraints extension 1156 * @return NameConstraints object or null (if no such object in certificate) 1157 */ 1158 public NameConstraintsExtension getNameConstraintsExtension() { 1159 return (NameConstraintsExtension) 1160 getExtension(PKIXExtensions.NameConstraints_Id); 1161 } 1162 1163 /** 1164 * Get PolicyConstraints extension 1165 * @return PolicyConstraints object or null (if no such object in 1166 * certificate) 1167 */ 1168 public PolicyConstraintsExtension getPolicyConstraintsExtension() { 1169 return (PolicyConstraintsExtension) 1170 getExtension(PKIXExtensions.PolicyConstraints_Id); 1171 } 1172 1173 /** 1174 * Get PolicyMappingsExtension extension 1175 * @return PolicyMappingsExtension object or null (if no such object 1176 * in certificate) 1177 */ 1178 public PolicyMappingsExtension getPolicyMappingsExtension() { 1179 return (PolicyMappingsExtension) 1180 getExtension(PKIXExtensions.PolicyMappings_Id); 1181 } 1182 1183 /** 1184 * Get PrivateKeyUsage extension 1185 * @return PrivateKeyUsage object or null (if no such object in certificate) 1186 */ 1187 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() { 1188 return (PrivateKeyUsageExtension) 1189 getExtension(PKIXExtensions.PrivateKeyUsage_Id); 1190 } 1191 1192 /** 1193 * Get SubjectAlternativeName extension 1194 * @return SubjectAlternativeName object or null (if no such object in 1195 * certificate) 1196 */ 1197 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension() 1198 { 1199 return (SubjectAlternativeNameExtension) 1200 getExtension(PKIXExtensions.SubjectAlternativeName_Id); 1201 } 1202 1203 /** 1204 * Get SubjectKeyIdentifier extension 1205 * @return SubjectKeyIdentifier object or null (if no such object in 1206 * certificate) 1207 */ 1208 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() { 1209 return (SubjectKeyIdentifierExtension) 1210 getExtension(PKIXExtensions.SubjectKey_Id); 1211 } 1212 1213 /** 1214 * Get CRLDistributionPoints extension 1215 * @return CRLDistributionPoints object or null (if no such object in 1216 * certificate) 1217 */ 1218 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() { 1219 return (CRLDistributionPointsExtension) 1220 getExtension(PKIXExtensions.CRLDistributionPoints_Id); 1221 } 1222 1223 /** 1224 * Return true if a critical extension is found that is 1225 * not supported, otherwise return false. 1226 */ 1227 public boolean hasUnsupportedCriticalExtension() { 1228 if (info == null) 1229 return false; 1230 try { 1231 CertificateExtensions exts = (CertificateExtensions)info.get( 1232 CertificateExtensions.NAME); 1233 if (exts == null) 1234 return false; 1235 return exts.hasUnsupportedCriticalExtension(); 1236 } catch (Exception e) { 1237 return false; 1238 } 1239 } 1240 1241 /** 1242 * Gets a Set of the extension(s) marked CRITICAL in the 1243 * certificate. In the returned set, each extension is 1244 * represented by its OID string. 1245 * 1246 * @return a set of the extension oid strings in the 1247 * certificate that are marked critical. 1248 */ 1249 public Set<String> getCriticalExtensionOIDs() { 1250 if (info == null) { 1251 return null; 1252 } 1253 try { 1254 CertificateExtensions exts = (CertificateExtensions)info.get( 1255 CertificateExtensions.NAME); 1256 if (exts == null) { 1257 return null; 1258 } 1259 Set<String> extSet = new TreeSet<>(); 1260 for (Extension ex : exts.getAllExtensions()) { 1261 if (ex.isCritical()) { 1262 extSet.add(ex.getExtensionId().toString()); 1263 } 1264 } 1265 return extSet; 1266 } catch (Exception e) { 1267 return null; 1268 } 1269 } 1270 1271 /** 1272 * Gets a Set of the extension(s) marked NON-CRITICAL in the 1273 * certificate. In the returned set, each extension is 1274 * represented by its OID string. 1275 * 1276 * @return a set of the extension oid strings in the 1277 * certificate that are NOT marked critical. 1278 */ 1279 public Set<String> getNonCriticalExtensionOIDs() { 1280 if (info == null) { 1281 return null; 1282 } 1283 try { 1284 CertificateExtensions exts = (CertificateExtensions)info.get( 1285 CertificateExtensions.NAME); 1286 if (exts == null) { 1287 return null; 1288 } 1289 Set<String> extSet = new TreeSet<>(); 1290 for (Extension ex : exts.getAllExtensions()) { 1291 if (!ex.isCritical()) { 1292 extSet.add(ex.getExtensionId().toString()); 1293 } 1294 } 1295 extSet.addAll(exts.getUnparseableExtensions().keySet()); 1296 return extSet; 1297 } catch (Exception e) { 1298 return null; 1299 } 1300 } 1301 1302 /** 1303 * Gets the extension identified by the given ObjectIdentifier 1304 * 1305 * @param oid the Object Identifier value for the extension. 1306 * @return Extension or null if certificate does not contain this 1307 * extension 1308 */ 1309 public Extension getExtension(ObjectIdentifier oid) { 1310 if (info == null) { 1311 return null; 1312 } 1313 try { 1314 CertificateExtensions extensions; 1315 try { 1316 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1317 } catch (CertificateException ce) { 1318 return null; 1319 } 1320 if (extensions == null) { 1321 return null; 1322 } else { 1323 Extension ex = extensions.getExtension(oid.toString()); 1324 if (ex != null) { 1325 return ex; 1326 } 1327 for (Extension ex2: extensions.getAllExtensions()) { 1328 if (ex2.getExtensionId().equals(oid)) { 1329 //XXXX May want to consider cloning this 1330 return ex2; 1331 } 1332 } 1333 /* no such extension in this certificate */ 1334 return null; 1335 } 1336 } catch (IOException ioe) { 1337 return null; 1338 } 1339 } 1340 1341 public Extension getUnparseableExtension(ObjectIdentifier oid) { 1342 if (info == null) { 1343 return null; 1344 } 1345 try { 1346 CertificateExtensions extensions; 1347 try { 1348 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME); 1349 } catch (CertificateException ce) { 1350 return null; 1351 } 1352 if (extensions == null) { 1353 return null; 1354 } else { 1355 return extensions.getUnparseableExtensions().get(oid.toString()); 1356 } 1357 } catch (IOException ioe) { 1358 return null; 1359 } 1360 } 1361 1362 /** 1363 * Gets the DER encoded extension identified by the given 1364 * oid String. 1365 * 1366 * @param oid the Object Identifier value for the extension. 1367 */ 1368 public byte[] getExtensionValue(String oid) { 1369 try { 1370 ObjectIdentifier findOID = new ObjectIdentifier(oid); 1371 String extAlias = OIDMap.getName(findOID); 1372 Extension certExt = null; 1373 CertificateExtensions exts = (CertificateExtensions)info.get( 1374 CertificateExtensions.NAME); 1375 1376 if (extAlias == null) { // may be unknown 1377 // get the extensions, search thru' for this oid 1378 if (exts == null) { 1379 return null; 1380 } 1381 1382 for (Extension ex : exts.getAllExtensions()) { 1383 ObjectIdentifier inCertOID = ex.getExtensionId(); 1384 if (inCertOID.equals(findOID)) { 1385 certExt = ex; 1386 break; 1387 } 1388 } 1389 } else { // there's sub-class that can handle this extension 1390 try { 1391 certExt = (Extension)this.get(extAlias); 1392 } catch (CertificateException e) { 1393 // get() throws an Exception instead of returning null, ignore 1394 } 1395 } 1396 if (certExt == null) { 1397 if (exts != null) { 1398 certExt = exts.getUnparseableExtensions().get(oid); 1399 } 1400 if (certExt == null) { 1401 return null; 1402 } 1403 } 1404 byte[] extData = certExt.getExtensionValue(); 1405 if (extData == null) { 1406 return null; 1407 } 1408 DerOutputStream out = new DerOutputStream(); 1409 out.putOctetString(extData); 1410 return out.toByteArray(); 1411 } catch (Exception e) { 1412 return null; 1413 } 1414 } 1415 1416 /** 1417 * Get a boolean array representing the bits of the KeyUsage extension, 1418 * (oid = 2.5.29.15). 1419 * @return the bit values of this extension as an array of booleans. 1420 */ 1421 public boolean[] getKeyUsage() { 1422 try { 1423 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id); 1424 if (extAlias == null) 1425 return null; 1426 1427 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias); 1428 if (certExt == null) 1429 return null; 1430 1431 boolean[] ret = certExt.getBits(); 1432 if (ret.length < NUM_STANDARD_KEY_USAGE) { 1433 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE]; 1434 System.arraycopy(ret, 0, usageBits, 0, ret.length); 1435 ret = usageBits; 1436 } 1437 return ret; 1438 } catch (Exception e) { 1439 return null; 1440 } 1441 } 1442 1443 /** 1444 * This method are the overridden implementation of 1445 * getExtendedKeyUsage method in X509Certificate in the Sun 1446 * provider. It is better performance-wise since it returns cached 1447 * values. 1448 */ 1449 public synchronized List<String> getExtendedKeyUsage() 1450 throws CertificateParsingException { 1451 if (readOnly && extKeyUsage != null) { 1452 return extKeyUsage; 1453 } else { 1454 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension(); 1455 if (ext == null) { 1456 return null; 1457 } 1458 extKeyUsage = 1459 Collections.unmodifiableList(ext.getExtendedKeyUsage()); 1460 return extKeyUsage; 1461 } 1462 } 1463 1464 /** 1465 * This static method is the default implementation of the 1466 * getExtendedKeyUsage method in X509Certificate. A 1467 * X509Certificate provider generally should overwrite this to 1468 * provide among other things caching for better performance. 1469 */ 1470 public static List<String> getExtendedKeyUsage(X509Certificate cert) 1471 throws CertificateParsingException { 1472 try { 1473 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID); 1474 if (ext == null) 1475 return null; 1476 DerValue val = new DerValue(ext); 1477 byte[] data = val.getOctetString(); 1478 1479 ExtendedKeyUsageExtension ekuExt = 1480 new ExtendedKeyUsageExtension(Boolean.FALSE, data); 1481 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage()); 1482 } catch (IOException ioe) { 1483 throw new CertificateParsingException(ioe); 1484 } 1485 } 1486 1487 /** 1488 * Get the certificate constraints path length from 1489 * the critical BasicConstraints extension, (oid = 2.5.29.19). 1490 * @return the length of the constraint. 1491 */ 1492 public int getBasicConstraints() { 1493 try { 1494 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id); 1495 if (extAlias == null) 1496 return -1; 1497 BasicConstraintsExtension certExt = 1498 (BasicConstraintsExtension)this.get(extAlias); 1499 if (certExt == null) 1500 return -1; 1501 1502 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA) 1503 ).booleanValue() == true) 1504 return ((Integer)certExt.get( 1505 BasicConstraintsExtension.PATH_LEN)).intValue(); 1506 else 1507 return -1; 1508 } catch (Exception e) { 1509 return -1; 1510 } 1511 } 1512 1513 /** 1514 * Converts a GeneralNames structure into an immutable Collection of 1515 * alternative names (subject or issuer) in the form required by 1516 * {@link #getSubjectAlternativeNames} or 1517 * {@link #getIssuerAlternativeNames}. 1518 * 1519 * @param names the GeneralNames to be converted 1520 * @return an immutable Collection of alternative names 1521 */ 1522 private static Collection<List<?>> makeAltNames(GeneralNames names) { 1523 if (names.isEmpty()) { 1524 return Collections.<List<?>>emptySet(); 1525 } 1526 List<List<?>> newNames = new ArrayList<>(); 1527 for (GeneralName gname : names.names()) { 1528 GeneralNameInterface name = gname.getName(); 1529 List<Object> nameEntry = new ArrayList<>(2); 1530 nameEntry.add(Integer.valueOf(name.getType())); 1531 switch (name.getType()) { 1532 case GeneralNameInterface.NAME_RFC822: 1533 nameEntry.add(((RFC822Name) name).getName()); 1534 break; 1535 case GeneralNameInterface.NAME_DNS: 1536 nameEntry.add(((DNSName) name).getName()); 1537 break; 1538 case GeneralNameInterface.NAME_DIRECTORY: 1539 nameEntry.add(((X500Name) name).getRFC2253Name()); 1540 break; 1541 case GeneralNameInterface.NAME_URI: 1542 nameEntry.add(((URIName) name).getName()); 1543 break; 1544 case GeneralNameInterface.NAME_IP: 1545 try { 1546 nameEntry.add(((IPAddressName) name).getName()); 1547 } catch (IOException ioe) { 1548 // IPAddressName in cert is bogus 1549 throw new RuntimeException("IPAddress cannot be parsed", 1550 ioe); 1551 } 1552 break; 1553 case GeneralNameInterface.NAME_OID: 1554 nameEntry.add(((OIDName) name).getOID().toString()); 1555 break; 1556 default: 1557 // add DER encoded form 1558 DerOutputStream derOut = new DerOutputStream(); 1559 try { 1560 name.encode(derOut); 1561 } catch (IOException ioe) { 1562 // should not occur since name has already been decoded 1563 // from cert (this would indicate a bug in our code) 1564 throw new RuntimeException("name cannot be encoded", ioe); 1565 } 1566 nameEntry.add(derOut.toByteArray()); 1567 break; 1568 } 1569 newNames.add(Collections.unmodifiableList(nameEntry)); 1570 } 1571 return Collections.unmodifiableCollection(newNames); 1572 } 1573 1574 /** 1575 * Checks a Collection of altNames and clones any name entries of type 1576 * byte []. 1577 */ // only partially generified due to javac bug 1578 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) { 1579 boolean mustClone = false; 1580 for (List<?> nameEntry : altNames) { 1581 if (nameEntry.get(1) instanceof byte[]) { 1582 // must clone names 1583 mustClone = true; 1584 } 1585 } 1586 if (mustClone) { 1587 List<List<?>> namesCopy = new ArrayList<>(); 1588 for (List<?> nameEntry : altNames) { 1589 Object nameObject = nameEntry.get(1); 1590 if (nameObject instanceof byte[]) { 1591 List<Object> nameEntryCopy = 1592 new ArrayList<>(nameEntry); 1593 nameEntryCopy.set(1, ((byte[])nameObject).clone()); 1594 namesCopy.add(Collections.unmodifiableList(nameEntryCopy)); 1595 } else { 1596 namesCopy.add(nameEntry); 1597 } 1598 } 1599 return Collections.unmodifiableCollection(namesCopy); 1600 } else { 1601 return altNames; 1602 } 1603 } 1604 1605 /** 1606 * This method are the overridden implementation of 1607 * getSubjectAlternativeNames method in X509Certificate in the Sun 1608 * provider. It is better performance-wise since it returns cached 1609 * values. 1610 */ 1611 public synchronized Collection<List<?>> getSubjectAlternativeNames() 1612 throws CertificateParsingException { 1613 // return cached value if we can 1614 if (readOnly && subjectAlternativeNames != null) { 1615 return cloneAltNames(subjectAlternativeNames); 1616 } 1617 SubjectAlternativeNameExtension subjectAltNameExt = 1618 getSubjectAlternativeNameExtension(); 1619 if (subjectAltNameExt == null) { 1620 return null; 1621 } 1622 GeneralNames names; 1623 try { 1624 names = subjectAltNameExt.get( 1625 SubjectAlternativeNameExtension.SUBJECT_NAME); 1626 } catch (IOException ioe) { 1627 // should not occur 1628 return Collections.<List<?>>emptySet(); 1629 } 1630 subjectAlternativeNames = makeAltNames(names); 1631 return subjectAlternativeNames; 1632 } 1633 1634 /** 1635 * This static method is the default implementation of the 1636 * getSubjectAlternaitveNames method in X509Certificate. A 1637 * X509Certificate provider generally should overwrite this to 1638 * provide among other things caching for better performance. 1639 */ 1640 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert) 1641 throws CertificateParsingException { 1642 try { 1643 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID); 1644 if (ext == null) { 1645 return null; 1646 } 1647 DerValue val = new DerValue(ext); 1648 byte[] data = val.getOctetString(); 1649 1650 SubjectAlternativeNameExtension subjectAltNameExt = 1651 new SubjectAlternativeNameExtension(Boolean.FALSE, 1652 data); 1653 1654 GeneralNames names; 1655 try { 1656 names = subjectAltNameExt.get( 1657 SubjectAlternativeNameExtension.SUBJECT_NAME); 1658 } catch (IOException ioe) { 1659 // should not occur 1660 return Collections.<List<?>>emptySet(); 1661 } 1662 return makeAltNames(names); 1663 } catch (IOException ioe) { 1664 throw new CertificateParsingException(ioe); 1665 } 1666 } 1667 1668 /** 1669 * This method are the overridden implementation of 1670 * getIssuerAlternativeNames method in X509Certificate in the Sun 1671 * provider. It is better performance-wise since it returns cached 1672 * values. 1673 */ 1674 public synchronized Collection<List<?>> getIssuerAlternativeNames() 1675 throws CertificateParsingException { 1676 // return cached value if we can 1677 if (readOnly && issuerAlternativeNames != null) { 1678 return cloneAltNames(issuerAlternativeNames); 1679 } 1680 IssuerAlternativeNameExtension issuerAltNameExt = 1681 getIssuerAlternativeNameExtension(); 1682 if (issuerAltNameExt == null) { 1683 return null; 1684 } 1685 GeneralNames names; 1686 try { 1687 names = issuerAltNameExt.get( 1688 IssuerAlternativeNameExtension.ISSUER_NAME); 1689 } catch (IOException ioe) { 1690 // should not occur 1691 return Collections.<List<?>>emptySet(); 1692 } 1693 issuerAlternativeNames = makeAltNames(names); 1694 return issuerAlternativeNames; 1695 } 1696 1697 /** 1698 * This static method is the default implementation of the 1699 * getIssuerAlternaitveNames method in X509Certificate. A 1700 * X509Certificate provider generally should overwrite this to 1701 * provide among other things caching for better performance. 1702 */ 1703 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert) 1704 throws CertificateParsingException { 1705 try { 1706 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID); 1707 if (ext == null) { 1708 return null; 1709 } 1710 1711 DerValue val = new DerValue(ext); 1712 byte[] data = val.getOctetString(); 1713 1714 IssuerAlternativeNameExtension issuerAltNameExt = 1715 new IssuerAlternativeNameExtension(Boolean.FALSE, 1716 data); 1717 GeneralNames names; 1718 try { 1719 names = issuerAltNameExt.get( 1720 IssuerAlternativeNameExtension.ISSUER_NAME); 1721 } catch (IOException ioe) { 1722 // should not occur 1723 return Collections.<List<?>>emptySet(); 1724 } 1725 return makeAltNames(names); 1726 } catch (IOException ioe) { 1727 throw new CertificateParsingException(ioe); 1728 } 1729 } 1730 1731 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() { 1732 return (AuthorityInfoAccessExtension) 1733 getExtension(PKIXExtensions.AuthInfoAccess_Id); 1734 } 1735 1736 /************************************************************/ 1737 1738 /* 1739 * Cert is a SIGNED ASN.1 macro, a three elment sequence: 1740 * 1741 * - Data to be signed (ToBeSigned) -- the "raw" cert 1742 * - Signature algorithm (SigAlgId) 1743 * - The signature bits 1744 * 1745 * This routine unmarshals the certificate, saving the signature 1746 * parts away for later verification. 1747 */ 1748 private void parse(DerValue val) 1749 throws CertificateException, IOException { 1750 // check if can over write the certificate 1751 if (readOnly) 1752 throw new CertificateParsingException( 1753 "cannot over-write existing certificate"); 1754 1755 if (val.data == null || val.tag != DerValue.tag_Sequence) 1756 throw new CertificateParsingException( 1757 "invalid DER-encoded certificate data"); 1758 1759 signedCert = val.toByteArray(); 1760 DerValue[] seq = new DerValue[3]; 1761 1762 seq[0] = val.data.getDerValue(); 1763 seq[1] = val.data.getDerValue(); 1764 seq[2] = val.data.getDerValue(); 1765 1766 if (val.data.available() != 0) { 1767 throw new CertificateParsingException("signed overrun, bytes = " 1768 + val.data.available()); 1769 } 1770 if (seq[0].tag != DerValue.tag_Sequence) { 1771 throw new CertificateParsingException("signed fields invalid"); 1772 } 1773 1774 algId = AlgorithmId.parse(seq[1]); 1775 signature = seq[2].getBitString(); 1776 1777 if (seq[1].data.available() != 0) { 1778 throw new CertificateParsingException("algid field overrun"); 1779 } 1780 if (seq[2].data.available() != 0) 1781 throw new CertificateParsingException("signed fields overrun"); 1782 1783 // The CertificateInfo 1784 info = new X509CertInfo(seq[0]); 1785 1786 // the "inner" and "outer" signature algorithms must match 1787 AlgorithmId infoSigAlg = (AlgorithmId)info.get( 1788 CertificateAlgorithmId.NAME 1789 + DOT + 1790 CertificateAlgorithmId.ALGORITHM); 1791 if (! algId.equals(infoSigAlg)) 1792 throw new CertificateException("Signature algorithm mismatch"); 1793 readOnly = true; 1794 } 1795 1796 /** 1797 * Extract the subject or issuer X500Principal from an X509Certificate. 1798 * Parses the encoded form of the cert to preserve the principal's 1799 * ASN.1 encoding. 1800 */ 1801 private static X500Principal getX500Principal(X509Certificate cert, 1802 boolean getIssuer) throws Exception { 1803 byte[] encoded = cert.getEncoded(); 1804 DerInputStream derIn = new DerInputStream(encoded); 1805 DerValue tbsCert = derIn.getSequence(3)[0]; 1806 DerInputStream tbsIn = tbsCert.data; 1807 DerValue tmp; 1808 tmp = tbsIn.getDerValue(); 1809 // skip version number if present 1810 if (tmp.isContextSpecific((byte)0)) { 1811 tmp = tbsIn.getDerValue(); 1812 } 1813 // tmp always contains serial number now 1814 tmp = tbsIn.getDerValue(); // skip signature 1815 tmp = tbsIn.getDerValue(); // issuer 1816 if (getIssuer == false) { 1817 tmp = tbsIn.getDerValue(); // skip validity 1818 tmp = tbsIn.getDerValue(); // subject 1819 } 1820 byte[] principalBytes = tmp.toByteArray(); 1821 return new X500Principal(principalBytes); 1822 } 1823 1824 /** 1825 * Extract the subject X500Principal from an X509Certificate. 1826 * Called from java.security.cert.X509Certificate.getSubjectX500Principal(). 1827 */ 1828 public static X500Principal getSubjectX500Principal(X509Certificate cert) { 1829 try { 1830 return getX500Principal(cert, false); 1831 } catch (Exception e) { 1832 throw new RuntimeException("Could not parse subject", e); 1833 } 1834 } 1835 1836 /** 1837 * Extract the issuer X500Principal from an X509Certificate. 1838 * Called from java.security.cert.X509Certificate.getIssuerX500Principal(). 1839 */ 1840 public static X500Principal getIssuerX500Principal(X509Certificate cert) { 1841 try { 1842 return getX500Principal(cert, true); 1843 } catch (Exception e) { 1844 throw new RuntimeException("Could not parse issuer", e); 1845 } 1846 } 1847 1848 /** 1849 * Returned the encoding of the given certificate for internal use. 1850 * Callers must guarantee that they neither modify it nor expose it 1851 * to untrusted code. Uses getEncodedInternal() if the certificate 1852 * is instance of X509CertImpl, getEncoded() otherwise. 1853 */ 1854 public static byte[] getEncodedInternal(Certificate cert) 1855 throws CertificateEncodingException { 1856 if (cert instanceof X509CertImpl) { 1857 return ((X509CertImpl)cert).getEncodedInternal(); 1858 } else { 1859 return cert.getEncoded(); 1860 } 1861 } 1862 1863 /** 1864 * Utility method to convert an arbitrary instance of X509Certificate 1865 * to a X509CertImpl. Does a cast if possible, otherwise reparses 1866 * the encoding. 1867 */ 1868 public static X509CertImpl toImpl(X509Certificate cert) 1869 throws CertificateException { 1870 if (cert instanceof X509CertImpl) { 1871 return (X509CertImpl)cert; 1872 } else { 1873 return X509Factory.intern(cert); 1874 } 1875 } 1876 1877 /** 1878 * Utility method to test if a certificate is self-issued. This is 1879 * the case iff the subject and issuer X500Principals are equal. 1880 */ 1881 public static boolean isSelfIssued(X509Certificate cert) { 1882 X500Principal subject = cert.getSubjectX500Principal(); 1883 X500Principal issuer = cert.getIssuerX500Principal(); 1884 return subject.equals(issuer); 1885 } 1886 1887 /** 1888 * Utility method to test if a certificate is self-signed. This is 1889 * the case iff the subject and issuer X500Principals are equal 1890 * AND the certificate's subject public key can be used to verify 1891 * the certificate. In case of exception, returns false. 1892 */ 1893 public static boolean isSelfSigned(X509Certificate cert, 1894 String sigProvider) { 1895 if (isSelfIssued(cert)) { 1896 try { 1897 if (sigProvider == null) { 1898 cert.verify(cert.getPublicKey()); 1899 } else { 1900 cert.verify(cert.getPublicKey(), sigProvider); 1901 } 1902 return true; 1903 } catch (Exception e) { 1904 // In case of exception, return false 1905 } 1906 } 1907 return false; 1908 } 1909 1910 private ConcurrentHashMap<String,String> fingerprints = 1911 new ConcurrentHashMap<>(2); 1912 1913 public String getFingerprint(String algorithm) { 1914 return fingerprints.computeIfAbsent(algorithm, 1915 x -> getFingerprint(x, this)); 1916 } 1917 1918 /** 1919 * Gets the requested finger print of the certificate. The result 1920 * only contains 0-9 and A-F. No small case, no colon. 1921 */ 1922 public static String getFingerprint(String algorithm, 1923 X509Certificate cert) { 1924 try { 1925 byte[] encCertInfo = cert.getEncoded(); 1926 MessageDigest md = MessageDigest.getInstance(algorithm); 1927 byte[] digest = md.digest(encCertInfo); 1928 StringBuilder sb = new StringBuilder(digest.length * 2); 1929 for (int i = 0; i < digest.length; i++) { 1930 byte2hex(digest[i], sb); 1931 } 1932 return sb.toString(); 1933 } catch (NoSuchAlgorithmException | CertificateEncodingException e) { 1934 // ignored 1935 } 1936 return ""; 1937 } 1938 1939 /** 1940 * Converts a byte to hex digit and writes to the supplied builder 1941 */ 1942 private static void byte2hex(byte b, StringBuilder buf) { 1943 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', 1944 '9', 'A', 'B', 'C', 'D', 'E', 'F' }; 1945 int high = ((b & 0xf0) >> 4); 1946 int low = (b & 0x0f); 1947 buf.append(hexChars[high]) 1948 .append(hexChars[low]); 1949 } 1950 }