1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.cert.*;
38 import java.security.cert.Certificate;
39 import java.util.*;
40 import java.util.concurrent.ConcurrentHashMap;
41
42 import javax.security.auth.x500.X500Principal;
43
44 import sun.security.util.HexDumpEncoder;
45 import java.util.Base64;
46 import sun.security.util.*;
47 import sun.security.provider.X509Factory;
48
49 /**
50 * The X509CertImpl class represents an X.509 certificate. These certificates
51 * are widely used to support authentication and other functionality in
52 * Internet security systems. Common applications include Privacy Enhanced
53 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
54 * software distribution, and Secure Electronic Transactions (SET). There
55 * is a commercial infrastructure ready to manage large scale deployments
56 * of X.509 identity certificates.
57 *
58 * <P>These certificates are managed and vouched for by <em>Certificate
59 * Authorities</em> (CAs). CAs are services which create certificates by
60 * placing data in the X.509 standard format and then digitally signing
61 * that data. Such signatures are quite difficult to forge. CAs act as
62 * trusted third parties, making introductions between agents who have no
63 * direct knowledge of each other. CA certificates are either signed by
64 * themselves, or by some other CA such as a "root" CA.
65 *
66 * <P>RFC 1422 is very informative, though it does not describe much
67 * of the recent work being done with X.509 certificates. That includes
68 * a 1996 version (X.509v3) and a variety of enhancements being made to
69 * facilitate an explosion of personal certificates used as "Internet
70 * Drivers' Licences", or with SET for credit card transactions.
71 *
72 * <P>More recent work includes the IETF PKIX Working Group efforts,
73 * especially RFC2459.
74 *
75 * @author Dave Brownell
76 * @author Amit Kapoor
77 * @author Hemma Prafullchandra
78 * @see X509CertInfo
79 */
80 public class X509CertImpl extends X509Certificate implements DerEncoder {
81
82 private static final long serialVersionUID = -3457612960190864406L;
83
84 private static final char DOT = '.';
85 /**
86 * Public attribute names.
87 */
88 public static final String NAME = "x509";
89 public static final String INFO = X509CertInfo.NAME;
90 public static final String ALG_ID = "algorithm";
91 public static final String SIGNATURE = "signature";
92 public static final String SIGNED_CERT = "signed_cert";
93
94 /**
95 * The following are defined for ease-of-use. These
96 * are the most frequently retrieved attributes.
97 */
98 // x509.info.subject.dname
99 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
100 X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME;
101 // x509.info.issuer.dname
102 public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
103 X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME;
104 // x509.info.serialNumber.number
105 public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
106 X509CertInfo.SERIAL_NUMBER + DOT +
107 CertificateSerialNumber.NUMBER;
108 // x509.info.key.value
109 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
110 X509CertInfo.KEY + DOT +
111 CertificateX509Key.KEY;
112
113 // x509.info.version.value
114 public static final String VERSION = NAME + DOT + INFO + DOT +
115 X509CertInfo.VERSION + DOT +
116 CertificateVersion.VERSION;
117
118 // x509.algorithm
119 public static final String SIG_ALG = NAME + DOT + ALG_ID;
120
121 // x509.signature
122 public static final String SIG = NAME + DOT + SIGNATURE;
123
124 // when we sign and decode we set this to true
125 // this is our means to make certificates immutable
126 private boolean readOnly = false;
127
128 // Certificate data, and its envelope
129 private byte[] signedCert = null;
130 protected X509CertInfo info = null;
131 protected AlgorithmId algId = null;
132 protected byte[] signature = null;
133
134 // recognized extension OIDS
135 private static final String KEY_USAGE_OID = "2.5.29.15";
136 private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
137 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
138 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
139 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
140 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
141
142 // number of standard key usage bits.
143 private static final int NUM_STANDARD_KEY_USAGE = 9;
144
145 // SubjectAlterntativeNames cache
146 private Collection<List<?>> subjectAlternativeNames;
147
148 // IssuerAlternativeNames cache
149 private Collection<List<?>> issuerAlternativeNames;
150
151 // ExtendedKeyUsage cache
152 private List<String> extKeyUsage;
153
154 // AuthorityInformationAccess cache
155 private Set<AccessDescription> authInfoAccess;
156
157 /**
158 * PublicKey that has previously been used to verify
159 * the signature of this certificate. Null if the certificate has not
160 * yet been verified.
161 */
162 private PublicKey verifiedPublicKey;
163 /**
164 * If verifiedPublicKey is not null, name of the provider used to
165 * successfully verify the signature of this certificate, or the
166 * empty String if no provider was explicitly specified.
167 */
168 private String verifiedProvider;
169 /**
170 * If verifiedPublicKey is not null, result of the verification using
171 * verifiedPublicKey and verifiedProvider. If true, verification was
172 * successful, if false, it failed.
173 */
174 private boolean verificationResult;
175
176 /**
177 * Default constructor.
178 */
179 public X509CertImpl() { }
180
181 /**
182 * Unmarshals a certificate from its encoded form, parsing the
183 * encoded bytes. This form of constructor is used by agents which
184 * need to examine and use certificate contents. That is, this is
185 * one of the more commonly used constructors. Note that the buffer
186 * must include only a certificate, and no "garbage" may be left at
187 * the end. If you need to ignore data at the end of a certificate,
188 * use another constructor.
189 *
190 * @param certData the encoded bytes, with no trailing padding.
191 * @exception CertificateException on parsing and initialization errors.
192 */
193 public X509CertImpl(byte[] certData) throws CertificateException {
194 try {
195 parse(new DerValue(certData));
196 } catch (IOException e) {
197 signedCert = null;
198 throw new CertificateException("Unable to initialize, " + e, e);
199 }
200 }
201
202 /**
203 * unmarshals an X.509 certificate from an input stream. If the
204 * certificate is RFC1421 hex-encoded, then it must begin with
205 * the line X509Factory.BEGIN_CERT and end with the line
206 * X509Factory.END_CERT.
207 *
208 * @param in an input stream holding at least one certificate that may
209 * be either DER-encoded or RFC1421 hex-encoded version of the
210 * DER-encoded certificate.
211 * @exception CertificateException on parsing and initialization errors.
212 */
213 public X509CertImpl(InputStream in) throws CertificateException {
214
215 DerValue der = null;
216
217 BufferedInputStream inBuffered = new BufferedInputStream(in);
218
219 // First try reading stream as HEX-encoded DER-encoded bytes,
220 // since not mistakable for raw DER
221 try {
222 inBuffered.mark(Integer.MAX_VALUE);
223 der = readRFC1421Cert(inBuffered);
224 } catch (IOException ioe) {
225 try {
226 // Next, try reading stream as raw DER-encoded bytes
227 inBuffered.reset();
228 der = new DerValue(inBuffered);
229 } catch (IOException ioe1) {
230 throw new CertificateException("Input stream must be " +
231 "either DER-encoded bytes " +
232 "or RFC1421 hex-encoded " +
233 "DER-encoded bytes: " +
234 ioe1.getMessage(), ioe1);
235 }
236 }
237 try {
238 parse(der);
239 } catch (IOException ioe) {
240 signedCert = null;
241 throw new CertificateException("Unable to parse DER value of " +
242 "certificate, " + ioe, ioe);
243 }
244 }
245
246 /**
247 * read input stream as HEX-encoded DER-encoded bytes
248 *
249 * @param in InputStream to read
250 * @return DerValue corresponding to decoded HEX-encoded bytes
251 * @throws IOException if stream can not be interpreted as RFC1421
252 * encoded bytes
253 */
254 private DerValue readRFC1421Cert(InputStream in) throws IOException {
255 DerValue der = null;
256 String line = null;
257 BufferedReader certBufferedReader =
258 new BufferedReader(new InputStreamReader(in, "ASCII"));
259 try {
260 line = certBufferedReader.readLine();
261 } catch (IOException ioe1) {
262 throw new IOException("Unable to read InputStream: " +
263 ioe1.getMessage());
264 }
265 if (line.equals(X509Factory.BEGIN_CERT)) {
266 /* stream appears to be hex-encoded bytes */
267 ByteArrayOutputStream decstream = new ByteArrayOutputStream();
268 try {
269 while ((line = certBufferedReader.readLine()) != null) {
270 if (line.equals(X509Factory.END_CERT)) {
271 der = new DerValue(decstream.toByteArray());
272 break;
273 } else {
274 decstream.write(Pem.decode(line));
275 }
276 }
277 } catch (IOException ioe2) {
278 throw new IOException("Unable to read InputStream: "
279 + ioe2.getMessage());
280 }
281 } else {
282 throw new IOException("InputStream is not RFC1421 hex-encoded " +
283 "DER bytes");
284 }
285 return der;
286 }
287
288 /**
289 * Construct an initialized X509 Certificate. The certificate is stored
290 * in raw form and has to be signed to be useful.
291 *
292 * @param certInfo the X509CertificateInfo which the Certificate is to be
293 * created from.
294 */
295 public X509CertImpl(X509CertInfo certInfo) {
296 this.info = certInfo;
297 }
298
299 /**
300 * Unmarshal a certificate from its encoded form, parsing a DER value.
301 * This form of constructor is used by agents which need to examine
302 * and use certificate contents.
303 *
304 * @param derVal the der value containing the encoded cert.
305 * @exception CertificateException on parsing and initialization errors.
306 */
307 public X509CertImpl(DerValue derVal) throws CertificateException {
308 try {
309 parse(derVal);
310 } catch (IOException e) {
311 signedCert = null;
312 throw new CertificateException("Unable to initialize, " + e, e);
313 }
314 }
315
316 /**
317 * Appends the certificate to an output stream.
318 *
319 * @param out an input stream to which the certificate is appended.
320 * @exception CertificateEncodingException on encoding errors.
321 */
322 public void encode(OutputStream out)
323 throws CertificateEncodingException {
324 if (signedCert == null)
325 throw new CertificateEncodingException(
326 "Null certificate to encode");
327 try {
328 out.write(signedCert.clone());
329 } catch (IOException e) {
330 throw new CertificateEncodingException(e.toString());
331 }
332 }
333
334 /**
335 * DER encode this object onto an output stream.
336 * Implements the <code>DerEncoder</code> interface.
337 *
338 * @param out the output stream on which to write the DER encoding.
339 *
340 * @exception IOException on encoding error.
341 */
342 public void derEncode(OutputStream out) throws IOException {
343 if (signedCert == null)
344 throw new IOException("Null certificate to encode");
345 out.write(signedCert.clone());
346 }
347
348 /**
349 * Returns the encoded form of this certificate. It is
350 * assumed that each certificate type would have only a single
351 * form of encoding; for example, X.509 certificates would
352 * be encoded as ASN.1 DER.
353 *
354 * @exception CertificateEncodingException if an encoding error occurs.
355 */
356 public byte[] getEncoded() throws CertificateEncodingException {
357 return getEncodedInternal().clone();
358 }
359
360 /**
361 * Returned the encoding as an uncloned byte array. Callers must
362 * guarantee that they neither modify it nor expose it to untrusted
363 * code.
364 */
365 public byte[] getEncodedInternal() throws CertificateEncodingException {
366 if (signedCert == null) {
367 throw new CertificateEncodingException(
368 "Null certificate to encode");
369 }
370 return signedCert;
371 }
372
373 /**
374 * Throws an exception if the certificate was not signed using the
375 * verification key provided. Successfully verifying a certificate
376 * does <em>not</em> indicate that one should trust the entity which
377 * it represents.
378 *
379 * @param key the public key used for verification.
380 *
381 * @exception InvalidKeyException on incorrect key.
382 * @exception NoSuchAlgorithmException on unsupported signature
383 * algorithms.
384 * @exception NoSuchProviderException if there's no default provider.
385 * @exception SignatureException on signature errors.
386 * @exception CertificateException on encoding errors.
387 */
388 public void verify(PublicKey key)
389 throws CertificateException, NoSuchAlgorithmException,
390 InvalidKeyException, NoSuchProviderException, SignatureException {
391
392 verify(key, "");
393 }
394
395 /**
396 * Throws an exception if the certificate was not signed using the
397 * verification key provided. Successfully verifying a certificate
398 * does <em>not</em> indicate that one should trust the entity which
399 * it represents.
400 *
401 * @param key the public key used for verification.
402 * @param sigProvider the name of the provider.
403 *
404 * @exception NoSuchAlgorithmException on unsupported signature
405 * algorithms.
406 * @exception InvalidKeyException on incorrect key.
407 * @exception NoSuchProviderException on incorrect provider.
408 * @exception SignatureException on signature errors.
409 * @exception CertificateException on encoding errors.
410 */
411 public synchronized void verify(PublicKey key, String sigProvider)
412 throws CertificateException, NoSuchAlgorithmException,
413 InvalidKeyException, NoSuchProviderException, SignatureException {
414 if (sigProvider == null) {
415 sigProvider = "";
416 }
417 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
418 // this certificate has already been verified using
419 // this public key. Make sure providers match, too.
420 if (sigProvider.equals(verifiedProvider)) {
421 if (verificationResult) {
422 return;
423 } else {
424 throw new SignatureException("Signature does not match.");
425 }
426 }
427 }
428 if (signedCert == null) {
429 throw new CertificateEncodingException("Uninitialized certificate");
430 }
431 // Verify the signature ...
432 Signature sigVerf = null;
433 if (sigProvider.length() == 0) {
434 sigVerf = Signature.getInstance(algId.getName());
435 } else {
436 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
437 }
438 sigVerf.initVerify(key);
439
440 byte[] rawCert = info.getEncodedInfo();
441 sigVerf.update(rawCert, 0, rawCert.length);
442
443 // verify may throw SignatureException for invalid encodings, etc.
444 verificationResult = sigVerf.verify(signature);
445 verifiedPublicKey = key;
446 verifiedProvider = sigProvider;
447
448 if (verificationResult == false) {
449 throw new SignatureException("Signature does not match.");
450 }
451 }
452
453 /**
454 * Throws an exception if the certificate was not signed using the
455 * verification key provided. This method uses the signature verification
456 * engine supplied by the specified provider. Note that the specified
457 * Provider object does not have to be registered in the provider list.
458 * Successfully verifying a certificate does <em>not</em> indicate that one
459 * should trust the entity which it represents.
460 *
461 * @param key the public key used for verification.
462 * @param sigProvider the provider.
463 *
464 * @exception NoSuchAlgorithmException on unsupported signature
465 * algorithms.
466 * @exception InvalidKeyException on incorrect key.
467 * @exception SignatureException on signature errors.
468 * @exception CertificateException on encoding errors.
469 */
470 public synchronized void verify(PublicKey key, Provider sigProvider)
471 throws CertificateException, NoSuchAlgorithmException,
472 InvalidKeyException, SignatureException {
473 if (signedCert == null) {
474 throw new CertificateEncodingException("Uninitialized certificate");
475 }
476 // Verify the signature ...
477 Signature sigVerf = null;
478 if (sigProvider == null) {
479 sigVerf = Signature.getInstance(algId.getName());
480 } else {
481 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
482 }
483 sigVerf.initVerify(key);
484
485 byte[] rawCert = info.getEncodedInfo();
486 sigVerf.update(rawCert, 0, rawCert.length);
487
488 // verify may throw SignatureException for invalid encodings, etc.
489 verificationResult = sigVerf.verify(signature);
490 verifiedPublicKey = key;
491
492 if (verificationResult == false) {
493 throw new SignatureException("Signature does not match.");
494 }
495 }
496
497 /**
498 * Creates an X.509 certificate, and signs it using the given key
499 * (associating a signature algorithm and an X.500 name).
500 * This operation is used to implement the certificate generation
501 * functionality of a certificate authority.
502 *
503 * @param key the private key used for signing.
504 * @param algorithm the name of the signature algorithm used.
505 *
506 * @exception InvalidKeyException on incorrect key.
507 * @exception NoSuchAlgorithmException on unsupported signature
508 * algorithms.
509 * @exception NoSuchProviderException if there's no default provider.
510 * @exception SignatureException on signature errors.
511 * @exception CertificateException on encoding errors.
512 */
513 public void sign(PrivateKey key, String algorithm)
514 throws CertificateException, NoSuchAlgorithmException,
515 InvalidKeyException, NoSuchProviderException, SignatureException {
516 sign(key, algorithm, null);
517 }
518
519 /**
520 * Creates an X.509 certificate, and signs it using the given key
521 * (associating a signature algorithm and an X.500 name).
522 * This operation is used to implement the certificate generation
523 * functionality of a certificate authority.
524 *
525 * @param key the private key used for signing.
526 * @param algorithm the name of the signature algorithm used.
527 * @param provider the name of the provider.
528 *
529 * @exception NoSuchAlgorithmException on unsupported signature
530 * algorithms.
531 * @exception InvalidKeyException on incorrect key.
532 * @exception NoSuchProviderException on incorrect provider.
533 * @exception SignatureException on signature errors.
534 * @exception CertificateException on encoding errors.
535 */
536 public void sign(PrivateKey key, String algorithm, String provider)
537 throws CertificateException, NoSuchAlgorithmException,
538 InvalidKeyException, NoSuchProviderException, SignatureException {
539 try {
540 if (readOnly)
541 throw new CertificateEncodingException(
542 "cannot over-write existing certificate");
543 Signature sigEngine = null;
544 if ((provider == null) || (provider.length() == 0))
545 sigEngine = Signature.getInstance(algorithm);
546 else
547 sigEngine = Signature.getInstance(algorithm, provider);
548
549 sigEngine.initSign(key);
550
551 // in case the name is reset
552 algId = AlgorithmId.get(sigEngine.getAlgorithm());
553
554 DerOutputStream out = new DerOutputStream();
555 DerOutputStream tmp = new DerOutputStream();
556
557 // encode certificate info
558 info.encode(tmp);
559 byte[] rawCert = tmp.toByteArray();
560
561 // encode algorithm identifier
562 algId.encode(tmp);
563
564 // Create and encode the signature itself.
565 sigEngine.update(rawCert, 0, rawCert.length);
566 signature = sigEngine.sign();
567 tmp.putBitString(signature);
568
569 // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
570 out.write(DerValue.tag_Sequence, tmp);
571 signedCert = out.toByteArray();
572 readOnly = true;
573
574 } catch (IOException e) {
575 throw new CertificateEncodingException(e.toString());
576 }
577 }
578
579 /**
580 * Checks that the certificate is currently valid, i.e. the current
581 * time is within the specified validity period.
582 *
583 * @exception CertificateExpiredException if the certificate has expired.
584 * @exception CertificateNotYetValidException if the certificate is not
585 * yet valid.
586 */
587 public void checkValidity()
588 throws CertificateExpiredException, CertificateNotYetValidException {
589 Date date = new Date();
590 checkValidity(date);
591 }
592
593 /**
594 * Checks that the specified date is within the certificate's
595 * validity period, or basically if the certificate would be
596 * valid at the specified date/time.
597 *
598 * @param date the Date to check against to see if this certificate
599 * is valid at that date/time.
600 *
601 * @exception CertificateExpiredException if the certificate has expired
602 * with respect to the <code>date</code> supplied.
603 * @exception CertificateNotYetValidException if the certificate is not
604 * yet valid with respect to the <code>date</code> supplied.
605 */
606 public void checkValidity(Date date)
607 throws CertificateExpiredException, CertificateNotYetValidException {
608
609 CertificateValidity interval = null;
610 try {
611 interval = (CertificateValidity)info.get(CertificateValidity.NAME);
612 } catch (Exception e) {
613 throw new CertificateNotYetValidException("Incorrect validity period");
614 }
615 if (interval == null)
616 throw new CertificateNotYetValidException("Null validity period");
617 interval.valid(date);
618 }
619
620 /**
621 * Return the requested attribute from the certificate.
622 *
623 * Note that the X509CertInfo is not cloned for performance reasons.
624 * Callers must ensure that they do not modify it. All other
625 * attributes are cloned.
626 *
627 * @param name the name of the attribute.
628 * @exception CertificateParsingException on invalid attribute identifier.
629 */
630 public Object get(String name)
631 throws CertificateParsingException {
632 X509AttributeName attr = new X509AttributeName(name);
633 String id = attr.getPrefix();
634 if (!(id.equalsIgnoreCase(NAME))) {
635 throw new CertificateParsingException("Invalid root of "
636 + "attribute name, expected [" + NAME +
637 "], received " + "[" + id + "]");
638 }
639 attr = new X509AttributeName(attr.getSuffix());
640 id = attr.getPrefix();
641
642 if (id.equalsIgnoreCase(INFO)) {
643 if (info == null) {
644 return null;
645 }
646 if (attr.getSuffix() != null) {
647 try {
648 return info.get(attr.getSuffix());
649 } catch (IOException e) {
650 throw new CertificateParsingException(e.toString());
651 } catch (CertificateException e) {
652 throw new CertificateParsingException(e.toString());
653 }
654 } else {
655 return info;
656 }
657 } else if (id.equalsIgnoreCase(ALG_ID)) {
658 return(algId);
659 } else if (id.equalsIgnoreCase(SIGNATURE)) {
660 if (signature != null)
661 return signature.clone();
662 else
663 return null;
664 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
665 if (signedCert != null)
666 return signedCert.clone();
667 else
668 return null;
669 } else {
670 throw new CertificateParsingException("Attribute name not "
671 + "recognized or get() not allowed for the same: " + id);
672 }
673 }
674
675 /**
676 * Set the requested attribute in the certificate.
677 *
678 * @param name the name of the attribute.
679 * @param obj the value of the attribute.
680 * @exception CertificateException on invalid attribute identifier.
681 * @exception IOException on encoding error of attribute.
682 */
683 public void set(String name, Object obj)
684 throws CertificateException, IOException {
685 // check if immutable
686 if (readOnly)
687 throw new CertificateException("cannot over-write existing"
688 + " certificate");
689
690 X509AttributeName attr = new X509AttributeName(name);
691 String id = attr.getPrefix();
692 if (!(id.equalsIgnoreCase(NAME))) {
693 throw new CertificateException("Invalid root of attribute name,"
694 + " expected [" + NAME + "], received " + id);
695 }
696 attr = new X509AttributeName(attr.getSuffix());
697 id = attr.getPrefix();
698
699 if (id.equalsIgnoreCase(INFO)) {
700 if (attr.getSuffix() == null) {
701 if (!(obj instanceof X509CertInfo)) {
702 throw new CertificateException("Attribute value should"
703 + " be of type X509CertInfo.");
704 }
705 info = (X509CertInfo)obj;
706 signedCert = null; //reset this as certificate data has changed
707 } else {
708 info.set(attr.getSuffix(), obj);
709 signedCert = null; //reset this as certificate data has changed
710 }
711 } else {
712 throw new CertificateException("Attribute name not recognized or " +
713 "set() not allowed for the same: " + id);
714 }
715 }
716
717 /**
718 * Delete the requested attribute from the certificate.
719 *
720 * @param name the name of the attribute.
721 * @exception CertificateException on invalid attribute identifier.
722 * @exception IOException on other errors.
723 */
724 public void delete(String name)
725 throws CertificateException, IOException {
726 // check if immutable
727 if (readOnly)
728 throw new CertificateException("cannot over-write existing"
729 + " certificate");
730
731 X509AttributeName attr = new X509AttributeName(name);
732 String id = attr.getPrefix();
733 if (!(id.equalsIgnoreCase(NAME))) {
734 throw new CertificateException("Invalid root of attribute name,"
735 + " expected ["
736 + NAME + "], received " + id);
737 }
738 attr = new X509AttributeName(attr.getSuffix());
739 id = attr.getPrefix();
740
741 if (id.equalsIgnoreCase(INFO)) {
742 if (attr.getSuffix() != null) {
743 info = null;
744 } else {
745 info.delete(attr.getSuffix());
746 }
747 } else if (id.equalsIgnoreCase(ALG_ID)) {
748 algId = null;
749 } else if (id.equalsIgnoreCase(SIGNATURE)) {
750 signature = null;
751 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
752 signedCert = null;
753 } else {
754 throw new CertificateException("Attribute name not recognized or " +
755 "delete() not allowed for the same: " + id);
756 }
757 }
758
759 /**
760 * Return an enumeration of names of attributes existing within this
761 * attribute.
762 */
763 public Enumeration<String> getElements() {
764 AttributeNameEnumeration elements = new AttributeNameEnumeration();
765 elements.addElement(NAME + DOT + INFO);
766 elements.addElement(NAME + DOT + ALG_ID);
767 elements.addElement(NAME + DOT + SIGNATURE);
768 elements.addElement(NAME + DOT + SIGNED_CERT);
769
770 return elements.elements();
771 }
772
773 /**
774 * Return the name of this attribute.
775 */
776 public String getName() {
777 return(NAME);
778 }
779
780 /**
781 * Returns a printable representation of the certificate. This does not
782 * contain all the information available to distinguish this from any
783 * other certificate. The certificate must be fully constructed
784 * before this function may be called.
785 */
786 public String toString() {
787 if (info == null || algId == null || signature == null)
788 return "";
789
790 HexDumpEncoder encoder = new HexDumpEncoder();
791 return "[\n" + info + '\n' +
792 " Algorithm: [" + algId + "]\n" +
793 " Signature:\n" + encoder.encodeBuffer(signature) + "\n]";
794 }
795
796 // the strongly typed gets, as per java.security.cert.X509Certificate
797
798 /**
799 * Gets the publickey from this certificate.
800 *
801 * @return the publickey.
802 */
803 public PublicKey getPublicKey() {
804 if (info == null)
805 return null;
806 try {
807 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
808 + DOT + CertificateX509Key.KEY);
809 return key;
810 } catch (Exception e) {
811 return null;
812 }
813 }
814
815 /**
816 * Gets the version number from the certificate.
817 *
818 * @return the version number, i.e. 1, 2 or 3.
819 */
820 public int getVersion() {
821 if (info == null)
822 return -1;
823 try {
824 int vers = ((Integer)info.get(CertificateVersion.NAME
825 + DOT + CertificateVersion.VERSION)).intValue();
826 return vers+1;
827 } catch (Exception e) {
828 return -1;
829 }
830 }
831
832 /**
833 * Gets the serial number from the certificate.
834 *
835 * @return the serial number.
836 */
837 public BigInteger getSerialNumber() {
838 SerialNumber ser = getSerialNumberObject();
839
840 return ser != null ? ser.getNumber() : null;
841 }
842
843 /**
844 * Gets the serial number from the certificate as
845 * a SerialNumber object.
846 *
847 * @return the serial number.
848 */
849 public SerialNumber getSerialNumberObject() {
850 if (info == null)
851 return null;
852 try {
853 SerialNumber ser = (SerialNumber)info.get(
854 CertificateSerialNumber.NAME + DOT +
855 CertificateSerialNumber.NUMBER);
856 return ser;
857 } catch (Exception e) {
858 return null;
859 }
860 }
861
862
863 /**
864 * Gets the subject distinguished name from the certificate.
865 *
866 * @return the subject name.
867 */
868 public Principal getSubjectDN() {
869 if (info == null)
870 return null;
871 try {
872 Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT +
873 X509CertInfo.DN_NAME);
874 return subject;
875 } catch (Exception e) {
876 return null;
877 }
878 }
879
880 /**
881 * Get subject name as X500Principal. Overrides implementation in
882 * X509Certificate with a slightly more efficient version that is
883 * also aware of X509CertImpl mutability.
884 */
885 public X500Principal getSubjectX500Principal() {
886 if (info == null) {
887 return null;
888 }
889 try {
890 X500Principal subject = (X500Principal)info.get(
891 X509CertInfo.SUBJECT + DOT +
892 "x500principal");
893 return subject;
894 } catch (Exception e) {
895 return null;
896 }
897 }
898
899 /**
900 * Gets the issuer distinguished name from the certificate.
901 *
902 * @return the issuer name.
903 */
904 public Principal getIssuerDN() {
905 if (info == null)
906 return null;
907 try {
908 Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT +
909 X509CertInfo.DN_NAME);
910 return issuer;
911 } catch (Exception e) {
912 return null;
913 }
914 }
915
916 /**
917 * Get issuer name as X500Principal. Overrides implementation in
918 * X509Certificate with a slightly more efficient version that is
919 * also aware of X509CertImpl mutability.
920 */
921 public X500Principal getIssuerX500Principal() {
922 if (info == null) {
923 return null;
924 }
925 try {
926 X500Principal issuer = (X500Principal)info.get(
927 X509CertInfo.ISSUER + DOT +
928 "x500principal");
929 return issuer;
930 } catch (Exception e) {
931 return null;
932 }
933 }
934
935 /**
936 * Gets the notBefore date from the validity period of the certificate.
937 *
938 * @return the start date of the validity period.
939 */
940 public Date getNotBefore() {
941 if (info == null)
942 return null;
943 try {
944 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
945 CertificateValidity.NOT_BEFORE);
946 return d;
947 } catch (Exception e) {
948 return null;
949 }
950 }
951
952 /**
953 * Gets the notAfter date from the validity period of the certificate.
954 *
955 * @return the end date of the validity period.
956 */
957 public Date getNotAfter() {
958 if (info == null)
959 return null;
960 try {
961 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
962 CertificateValidity.NOT_AFTER);
963 return d;
964 } catch (Exception e) {
965 return null;
966 }
967 }
968
969 /**
970 * Gets the DER encoded certificate informations, the
971 * <code>tbsCertificate</code> from this certificate.
972 * This can be used to verify the signature independently.
973 *
974 * @return the DER encoded certificate information.
975 * @exception CertificateEncodingException if an encoding error occurs.
976 */
977 public byte[] getTBSCertificate() throws CertificateEncodingException {
978 if (info != null) {
979 return info.getEncodedInfo();
980 } else
981 throw new CertificateEncodingException("Uninitialized certificate");
982 }
983
984 /**
985 * Gets the raw Signature bits from the certificate.
986 *
987 * @return the signature.
988 */
989 public byte[] getSignature() {
990 if (signature == null)
991 return null;
992 return signature.clone();
993 }
994
995 /**
996 * Gets the signature algorithm name for the certificate
997 * signature algorithm.
998 * For example, the string "SHA-1/DSA" or "DSS".
999 *
1000 * @return the signature algorithm name.
1001 */
1002 public String getSigAlgName() {
1003 if (algId == null)
1004 return null;
1005 return (algId.getName());
1006 }
1007
1008 /**
1009 * Gets the signature algorithm OID string from the certificate.
1010 * For example, the string "1.2.840.10040.4.3"
1011 *
1012 * @return the signature algorithm oid string.
1013 */
1014 public String getSigAlgOID() {
1015 if (algId == null)
1016 return null;
1017 ObjectIdentifier oid = algId.getOID();
1018 return (oid.toString());
1019 }
1020
1021 /**
1022 * Gets the DER encoded signature algorithm parameters from this
1023 * certificate's signature algorithm.
1024 *
1025 * @return the DER encoded signature algorithm parameters, or
1026 * null if no parameters are present.
1027 */
1028 public byte[] getSigAlgParams() {
1029 if (algId == null)
1030 return null;
1031 try {
1032 return algId.getEncodedParams();
1033 } catch (IOException e) {
1034 return null;
1035 }
1036 }
1037
1038 /**
1039 * Gets the Issuer Unique Identity from the certificate.
1040 *
1041 * @return the Issuer Unique Identity.
1042 */
1043 public boolean[] getIssuerUniqueID() {
1044 if (info == null)
1045 return null;
1046 try {
1047 UniqueIdentity id = (UniqueIdentity)info.get(
1048 X509CertInfo.ISSUER_ID);
1049 if (id == null)
1050 return null;
1051 else
1052 return (id.getId());
1053 } catch (Exception e) {
1054 return null;
1055 }
1056 }
1057
1058 /**
1059 * Gets the Subject Unique Identity from the certificate.
1060 *
1061 * @return the Subject Unique Identity.
1062 */
1063 public boolean[] getSubjectUniqueID() {
1064 if (info == null)
1065 return null;
1066 try {
1067 UniqueIdentity id = (UniqueIdentity)info.get(
1068 X509CertInfo.SUBJECT_ID);
1069 if (id == null)
1070 return null;
1071 else
1072 return (id.getId());
1073 } catch (Exception e) {
1074 return null;
1075 }
1076 }
1077
1078 public KeyIdentifier getAuthKeyId() {
1079 AuthorityKeyIdentifierExtension aki
1080 = getAuthorityKeyIdentifierExtension();
1081 if (aki != null) {
1082 try {
1083 return (KeyIdentifier)aki.get(
1084 AuthorityKeyIdentifierExtension.KEY_ID);
1085 } catch (IOException ioe) {} // not possible
1086 }
1087 return null;
1088 }
1089
1090 /**
1091 * Returns the subject's key identifier, or null
1092 */
1093 public KeyIdentifier getSubjectKeyId() {
1094 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension();
1095 if (ski != null) {
1096 try {
1097 return ski.get(SubjectKeyIdentifierExtension.KEY_ID);
1098 } catch (IOException ioe) {} // not possible
1099 }
1100 return null;
1101 }
1102
1103 /**
1104 * Get AuthorityKeyIdentifier extension
1105 * @return AuthorityKeyIdentifier object or null (if no such object
1106 * in certificate)
1107 */
1108 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
1109 {
1110 return (AuthorityKeyIdentifierExtension)
1111 getExtension(PKIXExtensions.AuthorityKey_Id);
1112 }
1113
1114 /**
1115 * Get BasicConstraints extension
1116 * @return BasicConstraints object or null (if no such object in
1117 * certificate)
1118 */
1119 public BasicConstraintsExtension getBasicConstraintsExtension() {
1120 return (BasicConstraintsExtension)
1121 getExtension(PKIXExtensions.BasicConstraints_Id);
1122 }
1123
1124 /**
1125 * Get CertificatePoliciesExtension
1126 * @return CertificatePoliciesExtension or null (if no such object in
1127 * certificate)
1128 */
1129 public CertificatePoliciesExtension getCertificatePoliciesExtension() {
1130 return (CertificatePoliciesExtension)
1131 getExtension(PKIXExtensions.CertificatePolicies_Id);
1132 }
1133
1134 /**
1135 * Get ExtendedKeyUsage extension
1136 * @return ExtendedKeyUsage extension object or null (if no such object
1137 * in certificate)
1138 */
1139 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
1140 return (ExtendedKeyUsageExtension)
1141 getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
1142 }
1143
1144 /**
1145 * Get IssuerAlternativeName extension
1146 * @return IssuerAlternativeName object or null (if no such object in
1147 * certificate)
1148 */
1149 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
1150 return (IssuerAlternativeNameExtension)
1151 getExtension(PKIXExtensions.IssuerAlternativeName_Id);
1152 }
1153
1154 /**
1155 * Get NameConstraints extension
1156 * @return NameConstraints object or null (if no such object in certificate)
1157 */
1158 public NameConstraintsExtension getNameConstraintsExtension() {
1159 return (NameConstraintsExtension)
1160 getExtension(PKIXExtensions.NameConstraints_Id);
1161 }
1162
1163 /**
1164 * Get PolicyConstraints extension
1165 * @return PolicyConstraints object or null (if no such object in
1166 * certificate)
1167 */
1168 public PolicyConstraintsExtension getPolicyConstraintsExtension() {
1169 return (PolicyConstraintsExtension)
1170 getExtension(PKIXExtensions.PolicyConstraints_Id);
1171 }
1172
1173 /**
1174 * Get PolicyMappingsExtension extension
1175 * @return PolicyMappingsExtension object or null (if no such object
1176 * in certificate)
1177 */
1178 public PolicyMappingsExtension getPolicyMappingsExtension() {
1179 return (PolicyMappingsExtension)
1180 getExtension(PKIXExtensions.PolicyMappings_Id);
1181 }
1182
1183 /**
1184 * Get PrivateKeyUsage extension
1185 * @return PrivateKeyUsage object or null (if no such object in certificate)
1186 */
1187 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
1188 return (PrivateKeyUsageExtension)
1189 getExtension(PKIXExtensions.PrivateKeyUsage_Id);
1190 }
1191
1192 /**
1193 * Get SubjectAlternativeName extension
1194 * @return SubjectAlternativeName object or null (if no such object in
1195 * certificate)
1196 */
1197 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
1198 {
1199 return (SubjectAlternativeNameExtension)
1200 getExtension(PKIXExtensions.SubjectAlternativeName_Id);
1201 }
1202
1203 /**
1204 * Get SubjectKeyIdentifier extension
1205 * @return SubjectKeyIdentifier object or null (if no such object in
1206 * certificate)
1207 */
1208 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
1209 return (SubjectKeyIdentifierExtension)
1210 getExtension(PKIXExtensions.SubjectKey_Id);
1211 }
1212
1213 /**
1214 * Get CRLDistributionPoints extension
1215 * @return CRLDistributionPoints object or null (if no such object in
1216 * certificate)
1217 */
1218 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
1219 return (CRLDistributionPointsExtension)
1220 getExtension(PKIXExtensions.CRLDistributionPoints_Id);
1221 }
1222
1223 /**
1224 * Return true if a critical extension is found that is
1225 * not supported, otherwise return false.
1226 */
1227 public boolean hasUnsupportedCriticalExtension() {
1228 if (info == null)
1229 return false;
1230 try {
1231 CertificateExtensions exts = (CertificateExtensions)info.get(
1232 CertificateExtensions.NAME);
1233 if (exts == null)
1234 return false;
1235 return exts.hasUnsupportedCriticalExtension();
1236 } catch (Exception e) {
1237 return false;
1238 }
1239 }
1240
1241 /**
1242 * Gets a Set of the extension(s) marked CRITICAL in the
1243 * certificate. In the returned set, each extension is
1244 * represented by its OID string.
1245 *
1246 * @return a set of the extension oid strings in the
1247 * certificate that are marked critical.
1248 */
1249 public Set<String> getCriticalExtensionOIDs() {
1250 if (info == null) {
1251 return null;
1252 }
1253 try {
1254 CertificateExtensions exts = (CertificateExtensions)info.get(
1255 CertificateExtensions.NAME);
1256 if (exts == null) {
1257 return null;
1258 }
1259 Set<String> extSet = new TreeSet<>();
1260 for (Extension ex : exts.getAllExtensions()) {
1261 if (ex.isCritical()) {
1262 extSet.add(ex.getExtensionId().toString());
1263 }
1264 }
1265 return extSet;
1266 } catch (Exception e) {
1267 return null;
1268 }
1269 }
1270
1271 /**
1272 * Gets a Set of the extension(s) marked NON-CRITICAL in the
1273 * certificate. In the returned set, each extension is
1274 * represented by its OID string.
1275 *
1276 * @return a set of the extension oid strings in the
1277 * certificate that are NOT marked critical.
1278 */
1279 public Set<String> getNonCriticalExtensionOIDs() {
1280 if (info == null) {
1281 return null;
1282 }
1283 try {
1284 CertificateExtensions exts = (CertificateExtensions)info.get(
1285 CertificateExtensions.NAME);
1286 if (exts == null) {
1287 return null;
1288 }
1289 Set<String> extSet = new TreeSet<>();
1290 for (Extension ex : exts.getAllExtensions()) {
1291 if (!ex.isCritical()) {
1292 extSet.add(ex.getExtensionId().toString());
1293 }
1294 }
1295 extSet.addAll(exts.getUnparseableExtensions().keySet());
1296 return extSet;
1297 } catch (Exception e) {
1298 return null;
1299 }
1300 }
1301
1302 /**
1303 * Gets the extension identified by the given ObjectIdentifier
1304 *
1305 * @param oid the Object Identifier value for the extension.
1306 * @return Extension or null if certificate does not contain this
1307 * extension
1308 */
1309 public Extension getExtension(ObjectIdentifier oid) {
1310 if (info == null) {
1311 return null;
1312 }
1313 try {
1314 CertificateExtensions extensions;
1315 try {
1316 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1317 } catch (CertificateException ce) {
1318 return null;
1319 }
1320 if (extensions == null) {
1321 return null;
1322 } else {
1323 Extension ex = extensions.getExtension(oid.toString());
1324 if (ex != null) {
1325 return ex;
1326 }
1327 for (Extension ex2: extensions.getAllExtensions()) {
1328 if (ex2.getExtensionId().equals(oid)) {
1329 //XXXX May want to consider cloning this
1330 return ex2;
1331 }
1332 }
1333 /* no such extension in this certificate */
1334 return null;
1335 }
1336 } catch (IOException ioe) {
1337 return null;
1338 }
1339 }
1340
1341 public Extension getUnparseableExtension(ObjectIdentifier oid) {
1342 if (info == null) {
1343 return null;
1344 }
1345 try {
1346 CertificateExtensions extensions;
1347 try {
1348 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1349 } catch (CertificateException ce) {
1350 return null;
1351 }
1352 if (extensions == null) {
1353 return null;
1354 } else {
1355 return extensions.getUnparseableExtensions().get(oid.toString());
1356 }
1357 } catch (IOException ioe) {
1358 return null;
1359 }
1360 }
1361
1362 /**
1363 * Gets the DER encoded extension identified by the given
1364 * oid String.
1365 *
1366 * @param oid the Object Identifier value for the extension.
1367 */
1368 public byte[] getExtensionValue(String oid) {
1369 try {
1370 ObjectIdentifier findOID = new ObjectIdentifier(oid);
1371 String extAlias = OIDMap.getName(findOID);
1372 Extension certExt = null;
1373 CertificateExtensions exts = (CertificateExtensions)info.get(
1374 CertificateExtensions.NAME);
1375
1376 if (extAlias == null) { // may be unknown
1377 // get the extensions, search thru' for this oid
1378 if (exts == null) {
1379 return null;
1380 }
1381
1382 for (Extension ex : exts.getAllExtensions()) {
1383 ObjectIdentifier inCertOID = ex.getExtensionId();
1384 if (inCertOID.equals(findOID)) {
1385 certExt = ex;
1386 break;
1387 }
1388 }
1389 } else { // there's sub-class that can handle this extension
1390 try {
1391 certExt = (Extension)this.get(extAlias);
1392 } catch (CertificateException e) {
1393 // get() throws an Exception instead of returning null, ignore
1394 }
1395 }
1396 if (certExt == null) {
1397 if (exts != null) {
1398 certExt = exts.getUnparseableExtensions().get(oid);
1399 }
1400 if (certExt == null) {
1401 return null;
1402 }
1403 }
1404 byte[] extData = certExt.getExtensionValue();
1405 if (extData == null) {
1406 return null;
1407 }
1408 DerOutputStream out = new DerOutputStream();
1409 out.putOctetString(extData);
1410 return out.toByteArray();
1411 } catch (Exception e) {
1412 return null;
1413 }
1414 }
1415
1416 /**
1417 * Get a boolean array representing the bits of the KeyUsage extension,
1418 * (oid = 2.5.29.15).
1419 * @return the bit values of this extension as an array of booleans.
1420 */
1421 public boolean[] getKeyUsage() {
1422 try {
1423 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
1424 if (extAlias == null)
1425 return null;
1426
1427 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
1428 if (certExt == null)
1429 return null;
1430
1431 boolean[] ret = certExt.getBits();
1432 if (ret.length < NUM_STANDARD_KEY_USAGE) {
1433 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
1434 System.arraycopy(ret, 0, usageBits, 0, ret.length);
1435 ret = usageBits;
1436 }
1437 return ret;
1438 } catch (Exception e) {
1439 return null;
1440 }
1441 }
1442
1443 /**
1444 * This method are the overridden implementation of
1445 * getExtendedKeyUsage method in X509Certificate in the Sun
1446 * provider. It is better performance-wise since it returns cached
1447 * values.
1448 */
1449 public synchronized List<String> getExtendedKeyUsage()
1450 throws CertificateParsingException {
1451 if (readOnly && extKeyUsage != null) {
1452 return extKeyUsage;
1453 } else {
1454 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
1455 if (ext == null) {
1456 return null;
1457 }
1458 extKeyUsage =
1459 Collections.unmodifiableList(ext.getExtendedKeyUsage());
1460 return extKeyUsage;
1461 }
1462 }
1463
1464 /**
1465 * This static method is the default implementation of the
1466 * getExtendedKeyUsage method in X509Certificate. A
1467 * X509Certificate provider generally should overwrite this to
1468 * provide among other things caching for better performance.
1469 */
1470 public static List<String> getExtendedKeyUsage(X509Certificate cert)
1471 throws CertificateParsingException {
1472 try {
1473 byte[] ext = cert.getExtensionValue(EXTENDED_KEY_USAGE_OID);
1474 if (ext == null)
1475 return null;
1476 DerValue val = new DerValue(ext);
1477 byte[] data = val.getOctetString();
1478
1479 ExtendedKeyUsageExtension ekuExt =
1480 new ExtendedKeyUsageExtension(Boolean.FALSE, data);
1481 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
1482 } catch (IOException ioe) {
1483 throw new CertificateParsingException(ioe);
1484 }
1485 }
1486
1487 /**
1488 * Get the certificate constraints path length from
1489 * the critical BasicConstraints extension, (oid = 2.5.29.19).
1490 * @return the length of the constraint.
1491 */
1492 public int getBasicConstraints() {
1493 try {
1494 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
1495 if (extAlias == null)
1496 return -1;
1497 BasicConstraintsExtension certExt =
1498 (BasicConstraintsExtension)this.get(extAlias);
1499 if (certExt == null)
1500 return -1;
1501
1502 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
1503 ).booleanValue() == true)
1504 return ((Integer)certExt.get(
1505 BasicConstraintsExtension.PATH_LEN)).intValue();
1506 else
1507 return -1;
1508 } catch (Exception e) {
1509 return -1;
1510 }
1511 }
1512
1513 /**
1514 * Converts a GeneralNames structure into an immutable Collection of
1515 * alternative names (subject or issuer) in the form required by
1516 * {@link #getSubjectAlternativeNames} or
1517 * {@link #getIssuerAlternativeNames}.
1518 *
1519 * @param names the GeneralNames to be converted
1520 * @return an immutable Collection of alternative names
1521 */
1522 private static Collection<List<?>> makeAltNames(GeneralNames names) {
1523 if (names.isEmpty()) {
1524 return Collections.<List<?>>emptySet();
1525 }
1526 List<List<?>> newNames = new ArrayList<>();
1527 for (GeneralName gname : names.names()) {
1528 GeneralNameInterface name = gname.getName();
1529 List<Object> nameEntry = new ArrayList<>(2);
1530 nameEntry.add(Integer.valueOf(name.getType()));
1531 switch (name.getType()) {
1532 case GeneralNameInterface.NAME_RFC822:
1533 nameEntry.add(((RFC822Name) name).getName());
1534 break;
1535 case GeneralNameInterface.NAME_DNS:
1536 nameEntry.add(((DNSName) name).getName());
1537 break;
1538 case GeneralNameInterface.NAME_DIRECTORY:
1539 nameEntry.add(((X500Name) name).getRFC2253Name());
1540 break;
1541 case GeneralNameInterface.NAME_URI:
1542 nameEntry.add(((URIName) name).getName());
1543 break;
1544 case GeneralNameInterface.NAME_IP:
1545 try {
1546 nameEntry.add(((IPAddressName) name).getName());
1547 } catch (IOException ioe) {
1548 // IPAddressName in cert is bogus
1549 throw new RuntimeException("IPAddress cannot be parsed",
1550 ioe);
1551 }
1552 break;
1553 case GeneralNameInterface.NAME_OID:
1554 nameEntry.add(((OIDName) name).getOID().toString());
1555 break;
1556 default:
1557 // add DER encoded form
1558 DerOutputStream derOut = new DerOutputStream();
1559 try {
1560 name.encode(derOut);
1561 } catch (IOException ioe) {
1562 // should not occur since name has already been decoded
1563 // from cert (this would indicate a bug in our code)
1564 throw new RuntimeException("name cannot be encoded", ioe);
1565 }
1566 nameEntry.add(derOut.toByteArray());
1567 break;
1568 }
1569 newNames.add(Collections.unmodifiableList(nameEntry));
1570 }
1571 return Collections.unmodifiableCollection(newNames);
1572 }
1573
1574 /**
1575 * Checks a Collection of altNames and clones any name entries of type
1576 * byte [].
1577 */ // only partially generified due to javac bug
1578 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
1579 boolean mustClone = false;
1580 for (List<?> nameEntry : altNames) {
1581 if (nameEntry.get(1) instanceof byte[]) {
1582 // must clone names
1583 mustClone = true;
1584 }
1585 }
1586 if (mustClone) {
1587 List<List<?>> namesCopy = new ArrayList<>();
1588 for (List<?> nameEntry : altNames) {
1589 Object nameObject = nameEntry.get(1);
1590 if (nameObject instanceof byte[]) {
1591 List<Object> nameEntryCopy =
1592 new ArrayList<>(nameEntry);
1593 nameEntryCopy.set(1, ((byte[])nameObject).clone());
1594 namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
1595 } else {
1596 namesCopy.add(nameEntry);
1597 }
1598 }
1599 return Collections.unmodifiableCollection(namesCopy);
1600 } else {
1601 return altNames;
1602 }
1603 }
1604
1605 /**
1606 * This method are the overridden implementation of
1607 * getSubjectAlternativeNames method in X509Certificate in the Sun
1608 * provider. It is better performance-wise since it returns cached
1609 * values.
1610 */
1611 public synchronized Collection<List<?>> getSubjectAlternativeNames()
1612 throws CertificateParsingException {
1613 // return cached value if we can
1614 if (readOnly && subjectAlternativeNames != null) {
1615 return cloneAltNames(subjectAlternativeNames);
1616 }
1617 SubjectAlternativeNameExtension subjectAltNameExt =
1618 getSubjectAlternativeNameExtension();
1619 if (subjectAltNameExt == null) {
1620 return null;
1621 }
1622 GeneralNames names;
1623 try {
1624 names = subjectAltNameExt.get(
1625 SubjectAlternativeNameExtension.SUBJECT_NAME);
1626 } catch (IOException ioe) {
1627 // should not occur
1628 return Collections.<List<?>>emptySet();
1629 }
1630 subjectAlternativeNames = makeAltNames(names);
1631 return subjectAlternativeNames;
1632 }
1633
1634 /**
1635 * This static method is the default implementation of the
1636 * getSubjectAlternaitveNames method in X509Certificate. A
1637 * X509Certificate provider generally should overwrite this to
1638 * provide among other things caching for better performance.
1639 */
1640 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
1641 throws CertificateParsingException {
1642 try {
1643 byte[] ext = cert.getExtensionValue(SUBJECT_ALT_NAME_OID);
1644 if (ext == null) {
1645 return null;
1646 }
1647 DerValue val = new DerValue(ext);
1648 byte[] data = val.getOctetString();
1649
1650 SubjectAlternativeNameExtension subjectAltNameExt =
1651 new SubjectAlternativeNameExtension(Boolean.FALSE,
1652 data);
1653
1654 GeneralNames names;
1655 try {
1656 names = subjectAltNameExt.get(
1657 SubjectAlternativeNameExtension.SUBJECT_NAME);
1658 } catch (IOException ioe) {
1659 // should not occur
1660 return Collections.<List<?>>emptySet();
1661 }
1662 return makeAltNames(names);
1663 } catch (IOException ioe) {
1664 throw new CertificateParsingException(ioe);
1665 }
1666 }
1667
1668 /**
1669 * This method are the overridden implementation of
1670 * getIssuerAlternativeNames method in X509Certificate in the Sun
1671 * provider. It is better performance-wise since it returns cached
1672 * values.
1673 */
1674 public synchronized Collection<List<?>> getIssuerAlternativeNames()
1675 throws CertificateParsingException {
1676 // return cached value if we can
1677 if (readOnly && issuerAlternativeNames != null) {
1678 return cloneAltNames(issuerAlternativeNames);
1679 }
1680 IssuerAlternativeNameExtension issuerAltNameExt =
1681 getIssuerAlternativeNameExtension();
1682 if (issuerAltNameExt == null) {
1683 return null;
1684 }
1685 GeneralNames names;
1686 try {
1687 names = issuerAltNameExt.get(
1688 IssuerAlternativeNameExtension.ISSUER_NAME);
1689 } catch (IOException ioe) {
1690 // should not occur
1691 return Collections.<List<?>>emptySet();
1692 }
1693 issuerAlternativeNames = makeAltNames(names);
1694 return issuerAlternativeNames;
1695 }
1696
1697 /**
1698 * This static method is the default implementation of the
1699 * getIssuerAlternaitveNames method in X509Certificate. A
1700 * X509Certificate provider generally should overwrite this to
1701 * provide among other things caching for better performance.
1702 */
1703 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
1704 throws CertificateParsingException {
1705 try {
1706 byte[] ext = cert.getExtensionValue(ISSUER_ALT_NAME_OID);
1707 if (ext == null) {
1708 return null;
1709 }
1710
1711 DerValue val = new DerValue(ext);
1712 byte[] data = val.getOctetString();
1713
1714 IssuerAlternativeNameExtension issuerAltNameExt =
1715 new IssuerAlternativeNameExtension(Boolean.FALSE,
1716 data);
1717 GeneralNames names;
1718 try {
1719 names = issuerAltNameExt.get(
1720 IssuerAlternativeNameExtension.ISSUER_NAME);
1721 } catch (IOException ioe) {
1722 // should not occur
1723 return Collections.<List<?>>emptySet();
1724 }
1725 return makeAltNames(names);
1726 } catch (IOException ioe) {
1727 throw new CertificateParsingException(ioe);
1728 }
1729 }
1730
1731 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
1732 return (AuthorityInfoAccessExtension)
1733 getExtension(PKIXExtensions.AuthInfoAccess_Id);
1734 }
1735
1736 /************************************************************/
1737
1738 /*
1739 * Cert is a SIGNED ASN.1 macro, a three elment sequence:
1740 *
1741 * - Data to be signed (ToBeSigned) -- the "raw" cert
1742 * - Signature algorithm (SigAlgId)
1743 * - The signature bits
1744 *
1745 * This routine unmarshals the certificate, saving the signature
1746 * parts away for later verification.
1747 */
1748 private void parse(DerValue val)
1749 throws CertificateException, IOException {
1750 // check if can over write the certificate
1751 if (readOnly)
1752 throw new CertificateParsingException(
1753 "cannot over-write existing certificate");
1754
1755 if (val.data == null || val.tag != DerValue.tag_Sequence)
1756 throw new CertificateParsingException(
1757 "invalid DER-encoded certificate data");
1758
1759 signedCert = val.toByteArray();
1760 DerValue[] seq = new DerValue[3];
1761
1762 seq[0] = val.data.getDerValue();
1763 seq[1] = val.data.getDerValue();
1764 seq[2] = val.data.getDerValue();
1765
1766 if (val.data.available() != 0) {
1767 throw new CertificateParsingException("signed overrun, bytes = "
1768 + val.data.available());
1769 }
1770 if (seq[0].tag != DerValue.tag_Sequence) {
1771 throw new CertificateParsingException("signed fields invalid");
1772 }
1773
1774 algId = AlgorithmId.parse(seq[1]);
1775 signature = seq[2].getBitString();
1776
1777 if (seq[1].data.available() != 0) {
1778 throw new CertificateParsingException("algid field overrun");
1779 }
1780 if (seq[2].data.available() != 0)
1781 throw new CertificateParsingException("signed fields overrun");
1782
1783 // The CertificateInfo
1784 info = new X509CertInfo(seq[0]);
1785
1786 // the "inner" and "outer" signature algorithms must match
1787 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1788 CertificateAlgorithmId.NAME
1789 + DOT +
1790 CertificateAlgorithmId.ALGORITHM);
1791 if (! algId.equals(infoSigAlg))
1792 throw new CertificateException("Signature algorithm mismatch");
1793 readOnly = true;
1794 }
1795
1796 /**
1797 * Extract the subject or issuer X500Principal from an X509Certificate.
1798 * Parses the encoded form of the cert to preserve the principal's
1799 * ASN.1 encoding.
1800 */
1801 private static X500Principal getX500Principal(X509Certificate cert,
1802 boolean getIssuer) throws Exception {
1803 byte[] encoded = cert.getEncoded();
1804 DerInputStream derIn = new DerInputStream(encoded);
1805 DerValue tbsCert = derIn.getSequence(3)[0];
1806 DerInputStream tbsIn = tbsCert.data;
1807 DerValue tmp;
1808 tmp = tbsIn.getDerValue();
1809 // skip version number if present
1810 if (tmp.isContextSpecific((byte)0)) {
1811 tmp = tbsIn.getDerValue();
1812 }
1813 // tmp always contains serial number now
1814 tmp = tbsIn.getDerValue(); // skip signature
1815 tmp = tbsIn.getDerValue(); // issuer
1816 if (getIssuer == false) {
1817 tmp = tbsIn.getDerValue(); // skip validity
1818 tmp = tbsIn.getDerValue(); // subject
1819 }
1820 byte[] principalBytes = tmp.toByteArray();
1821 return new X500Principal(principalBytes);
1822 }
1823
1824 /**
1825 * Extract the subject X500Principal from an X509Certificate.
1826 * Called from java.security.cert.X509Certificate.getSubjectX500Principal().
1827 */
1828 public static X500Principal getSubjectX500Principal(X509Certificate cert) {
1829 try {
1830 return getX500Principal(cert, false);
1831 } catch (Exception e) {
1832 throw new RuntimeException("Could not parse subject", e);
1833 }
1834 }
1835
1836 /**
1837 * Extract the issuer X500Principal from an X509Certificate.
1838 * Called from java.security.cert.X509Certificate.getIssuerX500Principal().
1839 */
1840 public static X500Principal getIssuerX500Principal(X509Certificate cert) {
1841 try {
1842 return getX500Principal(cert, true);
1843 } catch (Exception e) {
1844 throw new RuntimeException("Could not parse issuer", e);
1845 }
1846 }
1847
1848 /**
1849 * Returned the encoding of the given certificate for internal use.
1850 * Callers must guarantee that they neither modify it nor expose it
1851 * to untrusted code. Uses getEncodedInternal() if the certificate
1852 * is instance of X509CertImpl, getEncoded() otherwise.
1853 */
1854 public static byte[] getEncodedInternal(Certificate cert)
1855 throws CertificateEncodingException {
1856 if (cert instanceof X509CertImpl) {
1857 return ((X509CertImpl)cert).getEncodedInternal();
1858 } else {
1859 return cert.getEncoded();
1860 }
1861 }
1862
1863 /**
1864 * Utility method to convert an arbitrary instance of X509Certificate
1865 * to a X509CertImpl. Does a cast if possible, otherwise reparses
1866 * the encoding.
1867 */
1868 public static X509CertImpl toImpl(X509Certificate cert)
1869 throws CertificateException {
1870 if (cert instanceof X509CertImpl) {
1871 return (X509CertImpl)cert;
1872 } else {
1873 return X509Factory.intern(cert);
1874 }
1875 }
1876
1877 /**
1878 * Utility method to test if a certificate is self-issued. This is
1879 * the case iff the subject and issuer X500Principals are equal.
1880 */
1881 public static boolean isSelfIssued(X509Certificate cert) {
1882 X500Principal subject = cert.getSubjectX500Principal();
1883 X500Principal issuer = cert.getIssuerX500Principal();
1884 return subject.equals(issuer);
1885 }
1886
1887 /**
1888 * Utility method to test if a certificate is self-signed. This is
1889 * the case iff the subject and issuer X500Principals are equal
1890 * AND the certificate's subject public key can be used to verify
1891 * the certificate. In case of exception, returns false.
1892 */
1893 public static boolean isSelfSigned(X509Certificate cert,
1894 String sigProvider) {
1895 if (isSelfIssued(cert)) {
1896 try {
1897 if (sigProvider == null) {
1898 cert.verify(cert.getPublicKey());
1899 } else {
1900 cert.verify(cert.getPublicKey(), sigProvider);
1901 }
1902 return true;
1903 } catch (Exception e) {
1904 // In case of exception, return false
1905 }
1906 }
1907 return false;
1908 }
1909
1910 private ConcurrentHashMap<String,String> fingerprints =
1911 new ConcurrentHashMap<>(2);
1912
1913 public String getFingerprint(String algorithm) {
1914 return fingerprints.computeIfAbsent(algorithm,
1915 x -> getFingerprint(x, this));
1916 }
1917
1918 /**
1919 * Gets the requested finger print of the certificate. The result
1920 * only contains 0-9 and A-F. No small case, no colon.
1921 */
1922 public static String getFingerprint(String algorithm,
1923 X509Certificate cert) {
1924 try {
1925 byte[] encCertInfo = cert.getEncoded();
1926 MessageDigest md = MessageDigest.getInstance(algorithm);
1927 byte[] digest = md.digest(encCertInfo);
1928 StringBuilder sb = new StringBuilder(digest.length * 2);
1929 for (int i = 0; i < digest.length; i++) {
1930 byte2hex(digest[i], sb);
1931 }
1932 return sb.toString();
1933 } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
1934 // ignored
1935 }
1936 return "";
1937 }
1938
1939 /**
1940 * Converts a byte to hex digit and writes to the supplied builder
1941 */
1942 private static void byte2hex(byte b, StringBuilder buf) {
1943 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
1944 '9', 'A', 'B', 'C', 'D', 'E', 'F' };
1945 int high = ((b & 0xf0) >> 4);
1946 int low = (b & 0x0f);
1947 buf.append(hexChars[high])
1948 .append(hexChars[low]);
1949 }
1950 }