25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.spec.AlgorithmParameterSpec;
38 import java.security.cert.*;
39 import java.security.cert.Certificate;
40 import java.util.*;
41 import java.util.concurrent.ConcurrentHashMap;
42
43 import javax.security.auth.x500.X500Principal;
44
45 import java.util.Base64;
46 import sun.security.util.*;
47 import sun.security.provider.X509Factory;
48
49 /**
50 * The X509CertImpl class represents an X.509 certificate. These certificates
51 * are widely used to support authentication and other functionality in
52 * Internet security systems. Common applications include Privacy Enhanced
53 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
54 * software distribution, and Secure Electronic Transactions (SET). There
55 * is a commercial infrastructure ready to manage large scale deployments
56 * of X.509 identity certificates.
57 *
58 * <P>These certificates are managed and vouched for by <em>Certificate
59 * Authorities</em> (CAs). CAs are services which create certificates by
60 * placing data in the X.509 standard format and then digitally signing
61 * that data. Such signatures are quite difficult to forge. CAs act as
62 * trusted third parties, making introductions between agents who have no
63 * direct knowledge of each other. CA certificates are either signed by
64 * themselves, or by some other CA such as a "root" CA.
65 *
137 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
138 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
139 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
140 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
141
142 // number of standard key usage bits.
143 private static final int NUM_STANDARD_KEY_USAGE = 9;
144
145 // SubjectAlterntativeNames cache
146 private Collection<List<?>> subjectAlternativeNames;
147
148 // IssuerAlternativeNames cache
149 private Collection<List<?>> issuerAlternativeNames;
150
151 // ExtendedKeyUsage cache
152 private List<String> extKeyUsage;
153
154 // AuthorityInformationAccess cache
155 private Set<AccessDescription> authInfoAccess;
156
157 /**
158 * PublicKey that has previously been used to verify
159 * the signature of this certificate. Null if the certificate has not
160 * yet been verified.
161 */
162 private PublicKey verifiedPublicKey;
163 /**
164 * If verifiedPublicKey is not null, name of the provider used to
165 * successfully verify the signature of this certificate, or the
166 * empty String if no provider was explicitly specified.
167 */
168 private String verifiedProvider;
169 /**
170 * If verifiedPublicKey is not null, result of the verification using
171 * verifiedPublicKey and verifiedProvider. If true, verification was
172 * successful, if false, it failed.
173 */
174 private boolean verificationResult;
175
176 /**
1844 algId = AlgorithmId.parse(seq[1]);
1845 signature = seq[2].getBitString();
1846
1847 if (seq[1].data.available() != 0) {
1848 throw new CertificateParsingException("algid field overrun");
1849 }
1850 if (seq[2].data.available() != 0)
1851 throw new CertificateParsingException("signed fields overrun");
1852
1853 // The CertificateInfo
1854 info = new X509CertInfo(seq[0]);
1855
1856 // the "inner" and "outer" signature algorithms must match
1857 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1858 CertificateAlgorithmId.NAME
1859 + DOT +
1860 CertificateAlgorithmId.ALGORITHM);
1861 if (! algId.equals(infoSigAlg))
1862 throw new CertificateException("Signature algorithm mismatch");
1863 readOnly = true;
1864 }
1865
1866 /**
1867 * Extract the subject or issuer X500Principal from an X509Certificate.
1868 * Parses the encoded form of the cert to preserve the principal's
1869 * ASN.1 encoding.
1870 */
1871 private static X500Principal getX500Principal(X509Certificate cert,
1872 boolean getIssuer) throws Exception {
1873 byte[] encoded = cert.getEncoded();
1874 DerInputStream derIn = new DerInputStream(encoded);
1875 DerValue tbsCert = derIn.getSequence(3)[0];
1876 DerInputStream tbsIn = tbsCert.data;
1877 DerValue tmp;
1878 tmp = tbsIn.getDerValue();
1879 // skip version number if present
1880 if (tmp.isContextSpecific((byte)0)) {
1881 tmp = tbsIn.getDerValue();
1882 }
1883 // tmp always contains serial number now
1999 for (int i = 0; i < digest.length; i++) {
2000 byte2hex(digest[i], sb);
2001 }
2002 return sb.toString();
2003 } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
2004 // ignored
2005 }
2006 return "";
2007 }
2008
2009 /**
2010 * Converts a byte to hex digit and writes to the supplied builder
2011 */
2012 private static void byte2hex(byte b, StringBuilder buf) {
2013 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
2014 '9', 'A', 'B', 'C', 'D', 'E', 'F' };
2015 int high = ((b & 0xf0) >> 4);
2016 int low = (b & 0x0f);
2017 buf.append(hexChars[high])
2018 .append(hexChars[low]);
2019 }
2020 }
|
25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.spec.AlgorithmParameterSpec;
38 import java.security.cert.*;
39 import java.security.cert.Certificate;
40 import java.util.*;
41 import java.util.concurrent.ConcurrentHashMap;
42
43 import javax.security.auth.x500.X500Principal;
44
45 import jdk.internal.event.EventHelper;
46 import jdk.internal.event.X509CertEvent;
47 import sun.security.util.*;
48 import sun.security.provider.X509Factory;
49
50 /**
51 * The X509CertImpl class represents an X.509 certificate. These certificates
52 * are widely used to support authentication and other functionality in
53 * Internet security systems. Common applications include Privacy Enhanced
54 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
55 * software distribution, and Secure Electronic Transactions (SET). There
56 * is a commercial infrastructure ready to manage large scale deployments
57 * of X.509 identity certificates.
58 *
59 * <P>These certificates are managed and vouched for by <em>Certificate
60 * Authorities</em> (CAs). CAs are services which create certificates by
61 * placing data in the X.509 standard format and then digitally signing
62 * that data. Such signatures are quite difficult to forge. CAs act as
63 * trusted third parties, making introductions between agents who have no
64 * direct knowledge of each other. CA certificates are either signed by
65 * themselves, or by some other CA such as a "root" CA.
66 *
138 private static final String BASIC_CONSTRAINT_OID = "2.5.29.19";
139 private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";
140 private static final String ISSUER_ALT_NAME_OID = "2.5.29.18";
141 private static final String AUTH_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.1";
142
143 // number of standard key usage bits.
144 private static final int NUM_STANDARD_KEY_USAGE = 9;
145
146 // SubjectAlterntativeNames cache
147 private Collection<List<?>> subjectAlternativeNames;
148
149 // IssuerAlternativeNames cache
150 private Collection<List<?>> issuerAlternativeNames;
151
152 // ExtendedKeyUsage cache
153 private List<String> extKeyUsage;
154
155 // AuthorityInformationAccess cache
156 private Set<AccessDescription> authInfoAccess;
157
158 // Event recording cache list
159 private List<String> recordedCerts;
160
161 /**
162 * PublicKey that has previously been used to verify
163 * the signature of this certificate. Null if the certificate has not
164 * yet been verified.
165 */
166 private PublicKey verifiedPublicKey;
167 /**
168 * If verifiedPublicKey is not null, name of the provider used to
169 * successfully verify the signature of this certificate, or the
170 * empty String if no provider was explicitly specified.
171 */
172 private String verifiedProvider;
173 /**
174 * If verifiedPublicKey is not null, result of the verification using
175 * verifiedPublicKey and verifiedProvider. If true, verification was
176 * successful, if false, it failed.
177 */
178 private boolean verificationResult;
179
180 /**
1848 algId = AlgorithmId.parse(seq[1]);
1849 signature = seq[2].getBitString();
1850
1851 if (seq[1].data.available() != 0) {
1852 throw new CertificateParsingException("algid field overrun");
1853 }
1854 if (seq[2].data.available() != 0)
1855 throw new CertificateParsingException("signed fields overrun");
1856
1857 // The CertificateInfo
1858 info = new X509CertInfo(seq[0]);
1859
1860 // the "inner" and "outer" signature algorithms must match
1861 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1862 CertificateAlgorithmId.NAME
1863 + DOT +
1864 CertificateAlgorithmId.ALGORITHM);
1865 if (! algId.equals(infoSigAlg))
1866 throw new CertificateException("Signature algorithm mismatch");
1867 readOnly = true;
1868
1869 X509CertEvent xce = new X509CertEvent();
1870 if (xce.isEnabled() || EventHelper.isLoggingSecurity()) {
1871 commitEvent(xce);
1872 }
1873 }
1874
1875 /**
1876 * Extract the subject or issuer X500Principal from an X509Certificate.
1877 * Parses the encoded form of the cert to preserve the principal's
1878 * ASN.1 encoding.
1879 */
1880 private static X500Principal getX500Principal(X509Certificate cert,
1881 boolean getIssuer) throws Exception {
1882 byte[] encoded = cert.getEncoded();
1883 DerInputStream derIn = new DerInputStream(encoded);
1884 DerValue tbsCert = derIn.getSequence(3)[0];
1885 DerInputStream tbsIn = tbsCert.data;
1886 DerValue tmp;
1887 tmp = tbsIn.getDerValue();
1888 // skip version number if present
1889 if (tmp.isContextSpecific((byte)0)) {
1890 tmp = tbsIn.getDerValue();
1891 }
1892 // tmp always contains serial number now
2008 for (int i = 0; i < digest.length; i++) {
2009 byte2hex(digest[i], sb);
2010 }
2011 return sb.toString();
2012 } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
2013 // ignored
2014 }
2015 return "";
2016 }
2017
2018 /**
2019 * Converts a byte to hex digit and writes to the supplied builder
2020 */
2021 private static void byte2hex(byte b, StringBuilder buf) {
2022 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
2023 '9', 'A', 'B', 'C', 'D', 'E', 'F' };
2024 int high = ((b & 0xf0) >> 4);
2025 int low = (b & 0x0f);
2026 buf.append(hexChars[high])
2027 .append(hexChars[low]);
2028 }
2029
2030 private void commitEvent(X509CertEvent xce) {
2031 if(recordedCerts == null) {
2032 recordedCerts = new ArrayList<>();
2033 }
2034 String serNum = getSerialNumber().toString(16);
2035 if (!recordedCerts.contains(serNum)) {
2036 recordedCerts.add(serNum);
2037 try {
2038 PublicKey pKey = info.pubKey.get(CertificateX509Key.KEY);
2039 EventHelper.commitX509CertEvent(xce,
2040 info.algId.get(CertificateAlgorithmId.ALGORITHM).getName(),
2041 serNum, info.subject.getName(), info.issuer.getName(),
2042 pKey.getAlgorithm(), KeyUtil.getKeySize(pKey),
2043 info.interval.get(CertificateValidity.NOT_BEFORE).getTime(),
2044 info.interval.get(CertificateValidity.NOT_AFTER).getTime());
2045 } catch (IOException e) {
2046 // ignore for recording purposes
2047 }
2048 }
2049 }
2050 }
|