1 /*
2 * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.BufferedReader;
29 import java.io.BufferedInputStream;
30 import java.io.ByteArrayOutputStream;
31 import java.io.IOException;
32 import java.io.InputStream;
33 import java.io.InputStreamReader;
34 import java.io.OutputStream;
35 import java.math.BigInteger;
36 import java.security.*;
37 import java.security.spec.AlgorithmParameterSpec;
38 import java.security.cert.*;
39 import java.security.cert.Certificate;
40 import java.util.*;
41 import java.util.concurrent.ConcurrentHashMap;
42
43 import javax.security.auth.x500.X500Principal;
44
45 import sun.security.util.*;
46 import sun.security.provider.X509Factory;
47
48 import static java.nio.charset.StandardCharsets.US_ASCII;
49
50 /**
51 * The X509CertImpl class represents an X.509 certificate. These certificates
52 * are widely used to support authentication and other functionality in
53 * Internet security systems. Common applications include Privacy Enhanced
54 * Mail (PEM), Transport Layer Security (SSL), code signing for trusted
55 * software distribution, and Secure Electronic Transactions (SET). There
56 * is a commercial infrastructure ready to manage large scale deployments
57 * of X.509 identity certificates.
58 *
59 * <P>These certificates are managed and vouched for by <em>Certificate
60 * Authorities</em> (CAs). CAs are services which create certificates by
61 * placing data in the X.509 standard format and then digitally signing
62 * that data. Such signatures are quite difficult to forge. CAs act as
63 * trusted third parties, making introductions between agents who have no
64 * direct knowledge of each other. CA certificates are either signed by
65 * themselves, or by some other CA such as a "root" CA.
66 *
67 * <P> Standards relating to X.509 Public Key Infrastructure for the Internet
68 * can be referenced in RFC 5280.
69 *
70 * @author Dave Brownell
71 * @author Amit Kapoor
72 * @author Hemma Prafullchandra
73 * @see X509CertInfo
74 */
75 @SuppressWarnings("serial") // See writeReplace method in Certificate
76 public class X509CertImpl extends X509Certificate implements DerEncoder {
77
78 @java.io.Serial
79 private static final long serialVersionUID = -3457612960190864406L;
80
81 private static final char DOT = '.';
82 /**
83 * Public attribute names.
84 */
85 public static final String NAME = "x509";
86 public static final String INFO = X509CertInfo.NAME;
87 public static final String ALG_ID = "algorithm";
88 public static final String SIGNATURE = "signature";
89 public static final String SIGNED_CERT = "signed_cert";
90
91 /**
92 * The following are defined for ease-of-use. These
93 * are the most frequently retrieved attributes.
94 */
95 // x509.info.subject.dname
96 public static final String SUBJECT_DN = NAME + DOT + INFO + DOT +
97 X509CertInfo.SUBJECT + DOT + X509CertInfo.DN_NAME;
98 // x509.info.issuer.dname
99 public static final String ISSUER_DN = NAME + DOT + INFO + DOT +
100 X509CertInfo.ISSUER + DOT + X509CertInfo.DN_NAME;
101 // x509.info.serialNumber.number
102 public static final String SERIAL_ID = NAME + DOT + INFO + DOT +
103 X509CertInfo.SERIAL_NUMBER + DOT +
104 CertificateSerialNumber.NUMBER;
105 // x509.info.key.value
106 public static final String PUBLIC_KEY = NAME + DOT + INFO + DOT +
107 X509CertInfo.KEY + DOT +
108 CertificateX509Key.KEY;
109
110 // x509.info.version.value
111 public static final String VERSION = NAME + DOT + INFO + DOT +
112 X509CertInfo.VERSION + DOT +
113 CertificateVersion.VERSION;
114
115 // x509.algorithm
116 public static final String SIG_ALG = NAME + DOT + ALG_ID;
117
118 // x509.signature
119 public static final String SIG = NAME + DOT + SIGNATURE;
120
121 // when we sign and decode we set this to true
122 // this is our means to make certificates immutable
123 private boolean readOnly = false;
124
125 // Certificate data, and its envelope
126 private byte[] signedCert = null;
127 protected X509CertInfo info = null;
128 protected AlgorithmId algId = null;
129 protected byte[] signature = null;
130
131 // number of standard key usage bits.
132 private static final int NUM_STANDARD_KEY_USAGE = 9;
133
134 // SubjectAlterntativeNames cache
135 private Collection<List<?>> subjectAlternativeNames;
136
137 // IssuerAlternativeNames cache
138 private Collection<List<?>> issuerAlternativeNames;
139
140 // ExtendedKeyUsage cache
141 private List<String> extKeyUsage;
142
143 // AuthorityInformationAccess cache
144 private Set<AccessDescription> authInfoAccess;
145
146 /**
147 * PublicKey that has previously been used to verify
148 * the signature of this certificate. Null if the certificate has not
149 * yet been verified.
150 */
151 private PublicKey verifiedPublicKey;
152 /**
153 * If verifiedPublicKey is not null, name of the provider used to
154 * successfully verify the signature of this certificate, or the
155 * empty String if no provider was explicitly specified.
156 */
157 private String verifiedProvider;
158 /**
159 * If verifiedPublicKey is not null, result of the verification using
160 * verifiedPublicKey and verifiedProvider. If true, verification was
161 * successful, if false, it failed.
162 */
163 private boolean verificationResult;
164
165 /**
166 * Default constructor.
167 */
168 public X509CertImpl() { }
169
170 /**
171 * Unmarshals a certificate from its encoded form, parsing the
172 * encoded bytes. This form of constructor is used by agents which
173 * need to examine and use certificate contents. That is, this is
174 * one of the more commonly used constructors. Note that the buffer
175 * must include only a certificate, and no "garbage" may be left at
176 * the end. If you need to ignore data at the end of a certificate,
177 * use another constructor.
178 *
179 * @param certData the encoded bytes, with no trailing padding.
180 * @exception CertificateException on parsing and initialization errors.
181 */
182 public X509CertImpl(byte[] certData) throws CertificateException {
183 try {
184 parse(new DerValue(certData));
185 } catch (IOException e) {
186 signedCert = null;
187 throw new CertificateException("Unable to initialize, " + e, e);
188 }
189 }
190
191 /**
192 * unmarshals an X.509 certificate from an input stream. If the
193 * certificate is RFC1421 hex-encoded, then it must begin with
194 * the line X509Factory.BEGIN_CERT and end with the line
195 * X509Factory.END_CERT.
196 *
197 * @param in an input stream holding at least one certificate that may
198 * be either DER-encoded or RFC1421 hex-encoded version of the
199 * DER-encoded certificate.
200 * @exception CertificateException on parsing and initialization errors.
201 */
202 public X509CertImpl(InputStream in) throws CertificateException {
203
204 DerValue der = null;
205
206 BufferedInputStream inBuffered = new BufferedInputStream(in);
207
208 // First try reading stream as HEX-encoded DER-encoded bytes,
209 // since not mistakable for raw DER
210 try {
211 inBuffered.mark(Integer.MAX_VALUE);
212 der = readRFC1421Cert(inBuffered);
213 } catch (IOException ioe) {
214 try {
215 // Next, try reading stream as raw DER-encoded bytes
216 inBuffered.reset();
217 der = new DerValue(inBuffered);
218 } catch (IOException ioe1) {
219 throw new CertificateException("Input stream must be " +
220 "either DER-encoded bytes " +
221 "or RFC1421 hex-encoded " +
222 "DER-encoded bytes: " +
223 ioe1.getMessage(), ioe1);
224 }
225 }
226 try {
227 parse(der);
228 } catch (IOException ioe) {
229 signedCert = null;
230 throw new CertificateException("Unable to parse DER value of " +
231 "certificate, " + ioe, ioe);
232 }
233 }
234
235 /**
236 * read input stream as HEX-encoded DER-encoded bytes
237 *
238 * @param in InputStream to read
239 * @return DerValue corresponding to decoded HEX-encoded bytes
240 * @throws IOException if stream can not be interpreted as RFC1421
241 * encoded bytes
242 */
243 private DerValue readRFC1421Cert(InputStream in) throws IOException {
244 DerValue der = null;
245 String line = null;
246 BufferedReader certBufferedReader =
247 new BufferedReader(new InputStreamReader(in, US_ASCII));
248 try {
249 line = certBufferedReader.readLine();
250 } catch (IOException ioe1) {
251 throw new IOException("Unable to read InputStream: " +
252 ioe1.getMessage());
253 }
254 if (line.equals(X509Factory.BEGIN_CERT)) {
255 /* stream appears to be hex-encoded bytes */
256 ByteArrayOutputStream decstream = new ByteArrayOutputStream();
257 try {
258 while ((line = certBufferedReader.readLine()) != null) {
259 if (line.equals(X509Factory.END_CERT)) {
260 der = new DerValue(decstream.toByteArray());
261 break;
262 } else {
263 decstream.write(Pem.decode(line));
264 }
265 }
266 } catch (IOException ioe2) {
267 throw new IOException("Unable to read InputStream: "
268 + ioe2.getMessage());
269 }
270 } else {
271 throw new IOException("InputStream is not RFC1421 hex-encoded " +
272 "DER bytes");
273 }
274 return der;
275 }
276
277 /**
278 * Construct an initialized X509 Certificate. The certificate is stored
279 * in raw form and has to be signed to be useful.
280 *
281 * @param certInfo the X509CertificateInfo which the Certificate is to be
282 * created from.
283 */
284 public X509CertImpl(X509CertInfo certInfo) {
285 this.info = certInfo;
286 }
287
288 /**
289 * Unmarshal a certificate from its encoded form, parsing a DER value.
290 * This form of constructor is used by agents which need to examine
291 * and use certificate contents.
292 *
293 * @param derVal the der value containing the encoded cert.
294 * @exception CertificateException on parsing and initialization errors.
295 */
296 public X509CertImpl(DerValue derVal) throws CertificateException {
297 try {
298 parse(derVal);
299 } catch (IOException e) {
300 signedCert = null;
301 throw new CertificateException("Unable to initialize, " + e, e);
302 }
303 }
304
305 /**
306 * Appends the certificate to an output stream.
307 *
308 * @param out an input stream to which the certificate is appended.
309 * @exception CertificateEncodingException on encoding errors.
310 */
311 public void encode(OutputStream out)
312 throws CertificateEncodingException {
313 if (signedCert == null)
314 throw new CertificateEncodingException(
315 "Null certificate to encode");
316 try {
317 out.write(signedCert.clone());
318 } catch (IOException e) {
319 throw new CertificateEncodingException(e.toString());
320 }
321 }
322
323 /**
324 * DER encode this object onto an output stream.
325 * Implements the <code>DerEncoder</code> interface.
326 *
327 * @param out the output stream on which to write the DER encoding.
328 *
329 * @exception IOException on encoding error.
330 */
331 public void derEncode(OutputStream out) throws IOException {
332 if (signedCert == null)
333 throw new IOException("Null certificate to encode");
334 out.write(signedCert.clone());
335 }
336
337 /**
338 * Returns the encoded form of this certificate. It is
339 * assumed that each certificate type would have only a single
340 * form of encoding; for example, X.509 certificates would
341 * be encoded as ASN.1 DER.
342 *
343 * @exception CertificateEncodingException if an encoding error occurs.
344 */
345 public byte[] getEncoded() throws CertificateEncodingException {
346 return getEncodedInternal().clone();
347 }
348
349 /**
350 * Returned the encoding as an uncloned byte array. Callers must
351 * guarantee that they neither modify it nor expose it to untrusted
352 * code.
353 */
354 public byte[] getEncodedInternal() throws CertificateEncodingException {
355 if (signedCert == null) {
356 throw new CertificateEncodingException(
357 "Null certificate to encode");
358 }
359 return signedCert;
360 }
361
362 /**
363 * Throws an exception if the certificate was not signed using the
364 * verification key provided. Successfully verifying a certificate
365 * does <em>not</em> indicate that one should trust the entity which
366 * it represents.
367 *
368 * @param key the public key used for verification.
369 *
370 * @exception InvalidKeyException on incorrect key.
371 * @exception NoSuchAlgorithmException on unsupported signature
372 * algorithms.
373 * @exception NoSuchProviderException if there's no default provider.
374 * @exception SignatureException on signature errors.
375 * @exception CertificateException on encoding errors.
376 */
377 public void verify(PublicKey key)
378 throws CertificateException, NoSuchAlgorithmException,
379 InvalidKeyException, NoSuchProviderException, SignatureException {
380 verify(key, "");
381 }
382
383 /**
384 * Throws an exception if the certificate was not signed using the
385 * verification key provided. Successfully verifying a certificate
386 * does <em>not</em> indicate that one should trust the entity which
387 * it represents.
388 *
389 * @param key the public key used for verification.
390 * @param sigProvider the name of the provider.
391 *
392 * @exception NoSuchAlgorithmException on unsupported signature
393 * algorithms.
394 * @exception InvalidKeyException on incorrect key.
395 * @exception NoSuchProviderException on incorrect provider.
396 * @exception SignatureException on signature errors.
397 * @exception CertificateException on encoding errors.
398 */
399 public synchronized void verify(PublicKey key, String sigProvider)
400 throws CertificateException, NoSuchAlgorithmException,
401 InvalidKeyException, NoSuchProviderException, SignatureException {
402 if (sigProvider == null) {
403 sigProvider = "";
404 }
405 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
406 // this certificate has already been verified using
407 // this public key. Make sure providers match, too.
408 if (sigProvider.equals(verifiedProvider)) {
409 if (verificationResult) {
410 return;
411 } else {
412 throw new SignatureException("Signature does not match.");
413 }
414 }
415 }
416 if (signedCert == null) {
417 throw new CertificateEncodingException("Uninitialized certificate");
418 }
419 // Verify the signature ...
420 Signature sigVerf = null;
421 String sigName = algId.getName();
422 if (sigProvider.isEmpty()) {
423 sigVerf = Signature.getInstance(sigName);
424 } else {
425 sigVerf = Signature.getInstance(sigName, sigProvider);
426 }
427
428 try {
429 SignatureUtil.initVerifyWithParam(sigVerf, key,
430 SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
431 } catch (ProviderException e) {
432 throw new CertificateException(e.getMessage(), e.getCause());
433 } catch (InvalidAlgorithmParameterException e) {
434 throw new CertificateException(e);
435 }
436
437 byte[] rawCert = info.getEncodedInfo();
438 sigVerf.update(rawCert, 0, rawCert.length);
439
440 // verify may throw SignatureException for invalid encodings, etc.
441 verificationResult = sigVerf.verify(signature);
442 verifiedPublicKey = key;
443 verifiedProvider = sigProvider;
444
445 if (verificationResult == false) {
446 throw new SignatureException("Signature does not match.");
447 }
448 }
449
450 /**
451 * Throws an exception if the certificate was not signed using the
452 * verification key provided. This method uses the signature verification
453 * engine supplied by the specified provider. Note that the specified
454 * Provider object does not have to be registered in the provider list.
455 * Successfully verifying a certificate does <em>not</em> indicate that one
456 * should trust the entity which it represents.
457 *
458 * @param key the public key used for verification.
459 * @param sigProvider the provider.
460 *
461 * @exception NoSuchAlgorithmException on unsupported signature
462 * algorithms.
463 * @exception InvalidKeyException on incorrect key.
464 * @exception SignatureException on signature errors.
465 * @exception CertificateException on encoding errors.
466 */
467 public synchronized void verify(PublicKey key, Provider sigProvider)
468 throws CertificateException, NoSuchAlgorithmException,
469 InvalidKeyException, SignatureException {
470 if (signedCert == null) {
471 throw new CertificateEncodingException("Uninitialized certificate");
472 }
473 // Verify the signature ...
474 Signature sigVerf = null;
475 String sigName = algId.getName();
476 if (sigProvider == null) {
477 sigVerf = Signature.getInstance(sigName);
478 } else {
479 sigVerf = Signature.getInstance(sigName, sigProvider);
480 }
481
482 try {
483 SignatureUtil.initVerifyWithParam(sigVerf, key,
484 SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
485 } catch (ProviderException e) {
486 throw new CertificateException(e.getMessage(), e.getCause());
487 } catch (InvalidAlgorithmParameterException e) {
488 throw new CertificateException(e);
489 }
490
491 byte[] rawCert = info.getEncodedInfo();
492 sigVerf.update(rawCert, 0, rawCert.length);
493
494 // verify may throw SignatureException for invalid encodings, etc.
495 verificationResult = sigVerf.verify(signature);
496 verifiedPublicKey = key;
497
498 if (verificationResult == false) {
499 throw new SignatureException("Signature does not match.");
500 }
501 }
502
503 /**
504 * Creates an X.509 certificate, and signs it using the given key
505 * (associating a signature algorithm and an X.500 name).
506 * This operation is used to implement the certificate generation
507 * functionality of a certificate authority.
508 *
509 * @param key the private key used for signing.
510 * @param algorithm the name of the signature algorithm used.
511 *
512 * @exception InvalidKeyException on incorrect key.
513 * @exception NoSuchAlgorithmException on unsupported signature
514 * algorithms.
515 * @exception NoSuchProviderException if there's no default provider.
516 * @exception SignatureException on signature errors.
517 * @exception CertificateException on encoding errors.
518 */
519 public void sign(PrivateKey key, String algorithm)
520 throws CertificateException, NoSuchAlgorithmException,
521 InvalidKeyException, NoSuchProviderException, SignatureException {
522 sign(key, algorithm, null);
523 }
524
525 /**
526 * Creates an X.509 certificate, and signs it using the given key
527 * (associating a signature algorithm and an X.500 name).
528 * This operation is used to implement the certificate generation
529 * functionality of a certificate authority.
530 *
531 * @param key the private key used for signing.
532 * @param algorithm the name of the signature algorithm used.
533 * @param provider the name of the provider.
534 *
535 * @exception NoSuchAlgorithmException on unsupported signature
536 * algorithms.
537 * @exception InvalidKeyException on incorrect key.
538 * @exception NoSuchProviderException on incorrect provider.
539 * @exception SignatureException on signature errors.
540 * @exception CertificateException on encoding errors.
541 */
542 public void sign(PrivateKey key, String algorithm, String provider)
543 throws CertificateException, NoSuchAlgorithmException,
544 InvalidKeyException, NoSuchProviderException, SignatureException {
545 try {
546 sign(key, null, algorithm, provider);
547 } catch (InvalidAlgorithmParameterException e) {
548 // should not happen; re-throw just in case
549 throw new SignatureException(e);
550 }
551 }
552
553 /**
554 * Creates an X.509 certificate, and signs it using the given key
555 * (associating a signature algorithm and an X.500 name), signature
556 * parameters, and security provider. If the given provider name
557 * is null or empty, the implementation look up will be based on
558 * provider configurations.
559 * This operation is used to implement the certificate generation
560 * functionality of a certificate authority.
561 *
562 * @param key the private key used for signing
563 * @param signingParams the parameters used for signing
564 * @param algorithm the name of the signature algorithm used
565 * @param provider the name of the provider, may be null
566 *
567 * @exception NoSuchAlgorithmException on unsupported signature
568 * algorithms
569 * @exception InvalidKeyException on incorrect key
570 * @exception InvalidAlgorithmParameterException on invalid signature
571 * parameters
572 * @exception NoSuchProviderException on incorrect provider
573 * @exception SignatureException on signature errors
574 * @exception CertificateException on encoding errors
575 */
576 public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
577 String algorithm, String provider)
578 throws CertificateException, NoSuchAlgorithmException,
579 InvalidKeyException, InvalidAlgorithmParameterException,
580 NoSuchProviderException, SignatureException {
581 try {
582 if (readOnly) {
583 throw new CertificateEncodingException(
584 "cannot over-write existing certificate");
585 }
586 Signature sigEngine = null;
587 if (provider == null || provider.isEmpty()) {
588 sigEngine = Signature.getInstance(algorithm);
589 } else {
590 sigEngine = Signature.getInstance(algorithm, provider);
591 }
592
593 SignatureUtil.initSignWithParam(sigEngine, key, signingParams,
594 null);
595
596 if (signingParams != null) {
597 algId = AlgorithmId.get(sigEngine.getParameters());
598 } else {
599 // in case the name is reset
600 algId = AlgorithmId.get(sigEngine.getAlgorithm());
601 }
602 DerOutputStream out = new DerOutputStream();
603 DerOutputStream tmp = new DerOutputStream();
604
605 // encode certificate info
606 info.encode(tmp);
607 byte[] rawCert = tmp.toByteArray();
608
609 // encode algorithm identifier
610 algId.encode(tmp);
611
612 // Create and encode the signature itself.
613 sigEngine.update(rawCert, 0, rawCert.length);
614 signature = sigEngine.sign();
615 tmp.putBitString(signature);
616
617 // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
618 out.write(DerValue.tag_Sequence, tmp);
619 signedCert = out.toByteArray();
620 readOnly = true;
621
622 } catch (IOException e) {
623 throw new CertificateEncodingException(e.toString());
624 }
625 }
626
627 /**
628 * Checks that the certificate is currently valid, i.e. the current
629 * time is within the specified validity period.
630 *
631 * @exception CertificateExpiredException if the certificate has expired.
632 * @exception CertificateNotYetValidException if the certificate is not
633 * yet valid.
634 */
635 public void checkValidity()
636 throws CertificateExpiredException, CertificateNotYetValidException {
637 Date date = new Date();
638 checkValidity(date);
639 }
640
641 /**
642 * Checks that the specified date is within the certificate's
643 * validity period, or basically if the certificate would be
644 * valid at the specified date/time.
645 *
646 * @param date the Date to check against to see if this certificate
647 * is valid at that date/time.
648 *
649 * @exception CertificateExpiredException if the certificate has expired
650 * with respect to the <code>date</code> supplied.
651 * @exception CertificateNotYetValidException if the certificate is not
652 * yet valid with respect to the <code>date</code> supplied.
653 */
654 public void checkValidity(Date date)
655 throws CertificateExpiredException, CertificateNotYetValidException {
656
657 CertificateValidity interval = null;
658 try {
659 interval = (CertificateValidity)info.get(CertificateValidity.NAME);
660 } catch (Exception e) {
661 throw new CertificateNotYetValidException("Incorrect validity period");
662 }
663 if (interval == null)
664 throw new CertificateNotYetValidException("Null validity period");
665 interval.valid(date);
666 }
667
668 /**
669 * Return the requested attribute from the certificate.
670 *
671 * Note that the X509CertInfo is not cloned for performance reasons.
672 * Callers must ensure that they do not modify it. All other
673 * attributes are cloned.
674 *
675 * @param name the name of the attribute.
676 * @exception CertificateParsingException on invalid attribute identifier.
677 */
678 public Object get(String name)
679 throws CertificateParsingException {
680 X509AttributeName attr = new X509AttributeName(name);
681 String id = attr.getPrefix();
682 if (!(id.equalsIgnoreCase(NAME))) {
683 throw new CertificateParsingException("Invalid root of "
684 + "attribute name, expected [" + NAME +
685 "], received " + "[" + id + "]");
686 }
687 attr = new X509AttributeName(attr.getSuffix());
688 id = attr.getPrefix();
689
690 if (id.equalsIgnoreCase(INFO)) {
691 if (info == null) {
692 return null;
693 }
694 if (attr.getSuffix() != null) {
695 try {
696 return info.get(attr.getSuffix());
697 } catch (IOException e) {
698 throw new CertificateParsingException(e.toString());
699 } catch (CertificateException e) {
700 throw new CertificateParsingException(e.toString());
701 }
702 } else {
703 return info;
704 }
705 } else if (id.equalsIgnoreCase(ALG_ID)) {
706 return(algId);
707 } else if (id.equalsIgnoreCase(SIGNATURE)) {
708 if (signature != null)
709 return signature.clone();
710 else
711 return null;
712 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
713 if (signedCert != null)
714 return signedCert.clone();
715 else
716 return null;
717 } else {
718 throw new CertificateParsingException("Attribute name not "
719 + "recognized or get() not allowed for the same: " + id);
720 }
721 }
722
723 /**
724 * Set the requested attribute in the certificate.
725 *
726 * @param name the name of the attribute.
727 * @param obj the value of the attribute.
728 * @exception CertificateException on invalid attribute identifier.
729 * @exception IOException on encoding error of attribute.
730 */
731 public void set(String name, Object obj)
732 throws CertificateException, IOException {
733 // check if immutable
734 if (readOnly)
735 throw new CertificateException("cannot over-write existing"
736 + " certificate");
737
738 X509AttributeName attr = new X509AttributeName(name);
739 String id = attr.getPrefix();
740 if (!(id.equalsIgnoreCase(NAME))) {
741 throw new CertificateException("Invalid root of attribute name,"
742 + " expected [" + NAME + "], received " + id);
743 }
744 attr = new X509AttributeName(attr.getSuffix());
745 id = attr.getPrefix();
746
747 if (id.equalsIgnoreCase(INFO)) {
748 if (attr.getSuffix() == null) {
749 if (!(obj instanceof X509CertInfo)) {
750 throw new CertificateException("Attribute value should"
751 + " be of type X509CertInfo.");
752 }
753 info = (X509CertInfo)obj;
754 signedCert = null; //reset this as certificate data has changed
755 } else {
756 info.set(attr.getSuffix(), obj);
757 signedCert = null; //reset this as certificate data has changed
758 }
759 } else {
760 throw new CertificateException("Attribute name not recognized or " +
761 "set() not allowed for the same: " + id);
762 }
763 }
764
765 /**
766 * Delete the requested attribute from the certificate.
767 *
768 * @param name the name of the attribute.
769 * @exception CertificateException on invalid attribute identifier.
770 * @exception IOException on other errors.
771 */
772 public void delete(String name)
773 throws CertificateException, IOException {
774 // check if immutable
775 if (readOnly)
776 throw new CertificateException("cannot over-write existing"
777 + " certificate");
778
779 X509AttributeName attr = new X509AttributeName(name);
780 String id = attr.getPrefix();
781 if (!(id.equalsIgnoreCase(NAME))) {
782 throw new CertificateException("Invalid root of attribute name,"
783 + " expected ["
784 + NAME + "], received " + id);
785 }
786 attr = new X509AttributeName(attr.getSuffix());
787 id = attr.getPrefix();
788
789 if (id.equalsIgnoreCase(INFO)) {
790 if (attr.getSuffix() != null) {
791 info = null;
792 } else {
793 info.delete(attr.getSuffix());
794 }
795 } else if (id.equalsIgnoreCase(ALG_ID)) {
796 algId = null;
797 } else if (id.equalsIgnoreCase(SIGNATURE)) {
798 signature = null;
799 } else if (id.equalsIgnoreCase(SIGNED_CERT)) {
800 signedCert = null;
801 } else {
802 throw new CertificateException("Attribute name not recognized or " +
803 "delete() not allowed for the same: " + id);
804 }
805 }
806
807 /**
808 * Return an enumeration of names of attributes existing within this
809 * attribute.
810 */
811 public Enumeration<String> getElements() {
812 AttributeNameEnumeration elements = new AttributeNameEnumeration();
813 elements.addElement(NAME + DOT + INFO);
814 elements.addElement(NAME + DOT + ALG_ID);
815 elements.addElement(NAME + DOT + SIGNATURE);
816 elements.addElement(NAME + DOT + SIGNED_CERT);
817
818 return elements.elements();
819 }
820
821 /**
822 * Return the name of this attribute.
823 */
824 public String getName() {
825 return(NAME);
826 }
827
828 /**
829 * Returns a printable representation of the certificate. This does not
830 * contain all the information available to distinguish this from any
831 * other certificate. The certificate must be fully constructed
832 * before this function may be called.
833 */
834 public String toString() {
835 if (info == null || algId == null || signature == null)
836 return "";
837
838 HexDumpEncoder encoder = new HexDumpEncoder();
839 return "[\n" + info + '\n' +
840 " Algorithm: [" + algId + "]\n" +
841 " Signature:\n" + encoder.encodeBuffer(signature) + "\n]";
842 }
843
844 // the strongly typed gets, as per java.security.cert.X509Certificate
845
846 /**
847 * Gets the publickey from this certificate.
848 *
849 * @return the publickey.
850 */
851 public PublicKey getPublicKey() {
852 if (info == null)
853 return null;
854 try {
855 PublicKey key = (PublicKey)info.get(CertificateX509Key.NAME
856 + DOT + CertificateX509Key.KEY);
857 return key;
858 } catch (Exception e) {
859 return null;
860 }
861 }
862
863 /**
864 * Gets the version number from the certificate.
865 *
866 * @return the version number, i.e. 1, 2 or 3.
867 */
868 public int getVersion() {
869 if (info == null)
870 return -1;
871 try {
872 int vers = ((Integer)info.get(CertificateVersion.NAME
873 + DOT + CertificateVersion.VERSION)).intValue();
874 return vers+1;
875 } catch (Exception e) {
876 return -1;
877 }
878 }
879
880 /**
881 * Gets the serial number from the certificate.
882 *
883 * @return the serial number.
884 */
885 public BigInteger getSerialNumber() {
886 SerialNumber ser = getSerialNumberObject();
887
888 return ser != null ? ser.getNumber() : null;
889 }
890
891 /**
892 * Gets the serial number from the certificate as
893 * a SerialNumber object.
894 *
895 * @return the serial number.
896 */
897 public SerialNumber getSerialNumberObject() {
898 if (info == null)
899 return null;
900 try {
901 SerialNumber ser = (SerialNumber)info.get(
902 CertificateSerialNumber.NAME + DOT +
903 CertificateSerialNumber.NUMBER);
904 return ser;
905 } catch (Exception e) {
906 return null;
907 }
908 }
909
910
911 /**
912 * Gets the subject distinguished name from the certificate.
913 *
914 * @return the subject name.
915 */
916 public Principal getSubjectDN() {
917 if (info == null)
918 return null;
919 try {
920 Principal subject = (Principal)info.get(X509CertInfo.SUBJECT + DOT +
921 X509CertInfo.DN_NAME);
922 return subject;
923 } catch (Exception e) {
924 return null;
925 }
926 }
927
928 /**
929 * Get subject name as X500Principal. Overrides implementation in
930 * X509Certificate with a slightly more efficient version that is
931 * also aware of X509CertImpl mutability.
932 */
933 public X500Principal getSubjectX500Principal() {
934 if (info == null) {
935 return null;
936 }
937 try {
938 X500Principal subject = (X500Principal)info.get(
939 X509CertInfo.SUBJECT + DOT +
940 "x500principal");
941 return subject;
942 } catch (Exception e) {
943 return null;
944 }
945 }
946
947 /**
948 * Gets the issuer distinguished name from the certificate.
949 *
950 * @return the issuer name.
951 */
952 public Principal getIssuerDN() {
953 if (info == null)
954 return null;
955 try {
956 Principal issuer = (Principal)info.get(X509CertInfo.ISSUER + DOT +
957 X509CertInfo.DN_NAME);
958 return issuer;
959 } catch (Exception e) {
960 return null;
961 }
962 }
963
964 /**
965 * Get issuer name as X500Principal. Overrides implementation in
966 * X509Certificate with a slightly more efficient version that is
967 * also aware of X509CertImpl mutability.
968 */
969 public X500Principal getIssuerX500Principal() {
970 if (info == null) {
971 return null;
972 }
973 try {
974 X500Principal issuer = (X500Principal)info.get(
975 X509CertInfo.ISSUER + DOT +
976 "x500principal");
977 return issuer;
978 } catch (Exception e) {
979 return null;
980 }
981 }
982
983 /**
984 * Gets the notBefore date from the validity period of the certificate.
985 *
986 * @return the start date of the validity period.
987 */
988 public Date getNotBefore() {
989 if (info == null)
990 return null;
991 try {
992 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
993 CertificateValidity.NOT_BEFORE);
994 return d;
995 } catch (Exception e) {
996 return null;
997 }
998 }
999
1000 /**
1001 * Gets the notAfter date from the validity period of the certificate.
1002 *
1003 * @return the end date of the validity period.
1004 */
1005 public Date getNotAfter() {
1006 if (info == null)
1007 return null;
1008 try {
1009 Date d = (Date) info.get(CertificateValidity.NAME + DOT +
1010 CertificateValidity.NOT_AFTER);
1011 return d;
1012 } catch (Exception e) {
1013 return null;
1014 }
1015 }
1016
1017 /**
1018 * Gets the DER encoded certificate informations, the
1019 * <code>tbsCertificate</code> from this certificate.
1020 * This can be used to verify the signature independently.
1021 *
1022 * @return the DER encoded certificate information.
1023 * @exception CertificateEncodingException if an encoding error occurs.
1024 */
1025 public byte[] getTBSCertificate() throws CertificateEncodingException {
1026 if (info != null) {
1027 return info.getEncodedInfo();
1028 } else
1029 throw new CertificateEncodingException("Uninitialized certificate");
1030 }
1031
1032 /**
1033 * Gets the raw Signature bits from the certificate.
1034 *
1035 * @return the signature.
1036 */
1037 public byte[] getSignature() {
1038 if (signature == null)
1039 return null;
1040 return signature.clone();
1041 }
1042
1043 /**
1044 * Gets the signature algorithm name for the certificate
1045 * signature algorithm.
1046 * For example, the string "SHA-1/DSA" or "DSS".
1047 *
1048 * @return the signature algorithm name.
1049 */
1050 public String getSigAlgName() {
1051 if (algId == null)
1052 return null;
1053 return (algId.getName());
1054 }
1055
1056 /**
1057 * Gets the signature algorithm OID string from the certificate.
1058 * For example, the string "1.2.840.10040.4.3"
1059 *
1060 * @return the signature algorithm oid string.
1061 */
1062 public String getSigAlgOID() {
1063 if (algId == null)
1064 return null;
1065 ObjectIdentifier oid = algId.getOID();
1066 return (oid.toString());
1067 }
1068
1069 /**
1070 * Gets the DER encoded signature algorithm parameters from this
1071 * certificate's signature algorithm.
1072 *
1073 * @return the DER encoded signature algorithm parameters, or
1074 * null if no parameters are present.
1075 */
1076 public byte[] getSigAlgParams() {
1077 if (algId == null)
1078 return null;
1079 try {
1080 return algId.getEncodedParams();
1081 } catch (IOException e) {
1082 return null;
1083 }
1084 }
1085
1086 /**
1087 * Gets the Issuer Unique Identity from the certificate.
1088 *
1089 * @return the Issuer Unique Identity.
1090 */
1091 public boolean[] getIssuerUniqueID() {
1092 if (info == null)
1093 return null;
1094 try {
1095 UniqueIdentity id = (UniqueIdentity)info.get(
1096 X509CertInfo.ISSUER_ID);
1097 if (id == null)
1098 return null;
1099 else
1100 return (id.getId());
1101 } catch (Exception e) {
1102 return null;
1103 }
1104 }
1105
1106 /**
1107 * Gets the Subject Unique Identity from the certificate.
1108 *
1109 * @return the Subject Unique Identity.
1110 */
1111 public boolean[] getSubjectUniqueID() {
1112 if (info == null)
1113 return null;
1114 try {
1115 UniqueIdentity id = (UniqueIdentity)info.get(
1116 X509CertInfo.SUBJECT_ID);
1117 if (id == null)
1118 return null;
1119 else
1120 return (id.getId());
1121 } catch (Exception e) {
1122 return null;
1123 }
1124 }
1125
1126 public KeyIdentifier getAuthKeyId() {
1127 AuthorityKeyIdentifierExtension aki
1128 = getAuthorityKeyIdentifierExtension();
1129 if (aki != null) {
1130 try {
1131 return (KeyIdentifier)aki.get(
1132 AuthorityKeyIdentifierExtension.KEY_ID);
1133 } catch (IOException ioe) {} // not possible
1134 }
1135 return null;
1136 }
1137
1138 /**
1139 * Returns the subject's key identifier, or null
1140 */
1141 public KeyIdentifier getSubjectKeyId() {
1142 SubjectKeyIdentifierExtension ski = getSubjectKeyIdentifierExtension();
1143 if (ski != null) {
1144 try {
1145 return ski.get(SubjectKeyIdentifierExtension.KEY_ID);
1146 } catch (IOException ioe) {} // not possible
1147 }
1148 return null;
1149 }
1150
1151 /**
1152 * Get AuthorityKeyIdentifier extension
1153 * @return AuthorityKeyIdentifier object or null (if no such object
1154 * in certificate)
1155 */
1156 public AuthorityKeyIdentifierExtension getAuthorityKeyIdentifierExtension()
1157 {
1158 return (AuthorityKeyIdentifierExtension)
1159 getExtension(PKIXExtensions.AuthorityKey_Id);
1160 }
1161
1162 /**
1163 * Get BasicConstraints extension
1164 * @return BasicConstraints object or null (if no such object in
1165 * certificate)
1166 */
1167 public BasicConstraintsExtension getBasicConstraintsExtension() {
1168 return (BasicConstraintsExtension)
1169 getExtension(PKIXExtensions.BasicConstraints_Id);
1170 }
1171
1172 /**
1173 * Get CertificatePoliciesExtension
1174 * @return CertificatePoliciesExtension or null (if no such object in
1175 * certificate)
1176 */
1177 public CertificatePoliciesExtension getCertificatePoliciesExtension() {
1178 return (CertificatePoliciesExtension)
1179 getExtension(PKIXExtensions.CertificatePolicies_Id);
1180 }
1181
1182 /**
1183 * Get ExtendedKeyUsage extension
1184 * @return ExtendedKeyUsage extension object or null (if no such object
1185 * in certificate)
1186 */
1187 public ExtendedKeyUsageExtension getExtendedKeyUsageExtension() {
1188 return (ExtendedKeyUsageExtension)
1189 getExtension(PKIXExtensions.ExtendedKeyUsage_Id);
1190 }
1191
1192 /**
1193 * Get IssuerAlternativeName extension
1194 * @return IssuerAlternativeName object or null (if no such object in
1195 * certificate)
1196 */
1197 public IssuerAlternativeNameExtension getIssuerAlternativeNameExtension() {
1198 return (IssuerAlternativeNameExtension)
1199 getExtension(PKIXExtensions.IssuerAlternativeName_Id);
1200 }
1201
1202 /**
1203 * Get NameConstraints extension
1204 * @return NameConstraints object or null (if no such object in certificate)
1205 */
1206 public NameConstraintsExtension getNameConstraintsExtension() {
1207 return (NameConstraintsExtension)
1208 getExtension(PKIXExtensions.NameConstraints_Id);
1209 }
1210
1211 /**
1212 * Get PolicyConstraints extension
1213 * @return PolicyConstraints object or null (if no such object in
1214 * certificate)
1215 */
1216 public PolicyConstraintsExtension getPolicyConstraintsExtension() {
1217 return (PolicyConstraintsExtension)
1218 getExtension(PKIXExtensions.PolicyConstraints_Id);
1219 }
1220
1221 /**
1222 * Get PolicyMappingsExtension extension
1223 * @return PolicyMappingsExtension object or null (if no such object
1224 * in certificate)
1225 */
1226 public PolicyMappingsExtension getPolicyMappingsExtension() {
1227 return (PolicyMappingsExtension)
1228 getExtension(PKIXExtensions.PolicyMappings_Id);
1229 }
1230
1231 /**
1232 * Get PrivateKeyUsage extension
1233 * @return PrivateKeyUsage object or null (if no such object in certificate)
1234 */
1235 public PrivateKeyUsageExtension getPrivateKeyUsageExtension() {
1236 return (PrivateKeyUsageExtension)
1237 getExtension(PKIXExtensions.PrivateKeyUsage_Id);
1238 }
1239
1240 /**
1241 * Get SubjectAlternativeName extension
1242 * @return SubjectAlternativeName object or null (if no such object in
1243 * certificate)
1244 */
1245 public SubjectAlternativeNameExtension getSubjectAlternativeNameExtension()
1246 {
1247 return (SubjectAlternativeNameExtension)
1248 getExtension(PKIXExtensions.SubjectAlternativeName_Id);
1249 }
1250
1251 /**
1252 * Get SubjectKeyIdentifier extension
1253 * @return SubjectKeyIdentifier object or null (if no such object in
1254 * certificate)
1255 */
1256 public SubjectKeyIdentifierExtension getSubjectKeyIdentifierExtension() {
1257 return (SubjectKeyIdentifierExtension)
1258 getExtension(PKIXExtensions.SubjectKey_Id);
1259 }
1260
1261 /**
1262 * Get CRLDistributionPoints extension
1263 * @return CRLDistributionPoints object or null (if no such object in
1264 * certificate)
1265 */
1266 public CRLDistributionPointsExtension getCRLDistributionPointsExtension() {
1267 return (CRLDistributionPointsExtension)
1268 getExtension(PKIXExtensions.CRLDistributionPoints_Id);
1269 }
1270
1271 /**
1272 * Return true if a critical extension is found that is
1273 * not supported, otherwise return false.
1274 */
1275 public boolean hasUnsupportedCriticalExtension() {
1276 if (info == null)
1277 return false;
1278 try {
1279 CertificateExtensions exts = (CertificateExtensions)info.get(
1280 CertificateExtensions.NAME);
1281 if (exts == null)
1282 return false;
1283 return exts.hasUnsupportedCriticalExtension();
1284 } catch (Exception e) {
1285 return false;
1286 }
1287 }
1288
1289 /**
1290 * Gets a Set of the extension(s) marked CRITICAL in the
1291 * certificate. In the returned set, each extension is
1292 * represented by its OID string.
1293 *
1294 * @return a set of the extension oid strings in the
1295 * certificate that are marked critical.
1296 */
1297 public Set<String> getCriticalExtensionOIDs() {
1298 if (info == null) {
1299 return null;
1300 }
1301 try {
1302 CertificateExtensions exts = (CertificateExtensions)info.get(
1303 CertificateExtensions.NAME);
1304 if (exts == null) {
1305 return null;
1306 }
1307 Set<String> extSet = new TreeSet<>();
1308 for (Extension ex : exts.getAllExtensions()) {
1309 if (ex.isCritical()) {
1310 extSet.add(ex.getExtensionId().toString());
1311 }
1312 }
1313 return extSet;
1314 } catch (Exception e) {
1315 return null;
1316 }
1317 }
1318
1319 /**
1320 * Gets a Set of the extension(s) marked NON-CRITICAL in the
1321 * certificate. In the returned set, each extension is
1322 * represented by its OID string.
1323 *
1324 * @return a set of the extension oid strings in the
1325 * certificate that are NOT marked critical.
1326 */
1327 public Set<String> getNonCriticalExtensionOIDs() {
1328 if (info == null) {
1329 return null;
1330 }
1331 try {
1332 CertificateExtensions exts = (CertificateExtensions)info.get(
1333 CertificateExtensions.NAME);
1334 if (exts == null) {
1335 return null;
1336 }
1337 Set<String> extSet = new TreeSet<>();
1338 for (Extension ex : exts.getAllExtensions()) {
1339 if (!ex.isCritical()) {
1340 extSet.add(ex.getExtensionId().toString());
1341 }
1342 }
1343 extSet.addAll(exts.getUnparseableExtensions().keySet());
1344 return extSet;
1345 } catch (Exception e) {
1346 return null;
1347 }
1348 }
1349
1350 /**
1351 * Gets the extension identified by the given ObjectIdentifier
1352 *
1353 * @param oid the Object Identifier value for the extension.
1354 * @return Extension or null if certificate does not contain this
1355 * extension
1356 */
1357 public Extension getExtension(ObjectIdentifier oid) {
1358 if (info == null) {
1359 return null;
1360 }
1361 try {
1362 CertificateExtensions extensions;
1363 try {
1364 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1365 } catch (CertificateException ce) {
1366 return null;
1367 }
1368 if (extensions == null) {
1369 return null;
1370 } else {
1371 Extension ex = extensions.getExtension(oid.toString());
1372 if (ex != null) {
1373 return ex;
1374 }
1375 for (Extension ex2: extensions.getAllExtensions()) {
1376 if (ex2.getExtensionId().equals(oid)) {
1377 //XXXX May want to consider cloning this
1378 return ex2;
1379 }
1380 }
1381 /* no such extension in this certificate */
1382 return null;
1383 }
1384 } catch (IOException ioe) {
1385 return null;
1386 }
1387 }
1388
1389 public Extension getUnparseableExtension(ObjectIdentifier oid) {
1390 if (info == null) {
1391 return null;
1392 }
1393 try {
1394 CertificateExtensions extensions;
1395 try {
1396 extensions = (CertificateExtensions)info.get(CertificateExtensions.NAME);
1397 } catch (CertificateException ce) {
1398 return null;
1399 }
1400 if (extensions == null) {
1401 return null;
1402 } else {
1403 return extensions.getUnparseableExtensions().get(oid.toString());
1404 }
1405 } catch (IOException ioe) {
1406 return null;
1407 }
1408 }
1409
1410 /**
1411 * Gets the DER encoded extension identified by the given
1412 * oid String.
1413 *
1414 * @param oid the Object Identifier value for the extension.
1415 */
1416 public byte[] getExtensionValue(String oid) {
1417 try {
1418 ObjectIdentifier findOID = ObjectIdentifier.of(oid);
1419 String extAlias = OIDMap.getName(findOID);
1420 Extension certExt = null;
1421 CertificateExtensions exts = (CertificateExtensions)info.get(
1422 CertificateExtensions.NAME);
1423
1424 if (extAlias == null) { // may be unknown
1425 // get the extensions, search thru' for this oid
1426 if (exts == null) {
1427 return null;
1428 }
1429
1430 for (Extension ex : exts.getAllExtensions()) {
1431 ObjectIdentifier inCertOID = ex.getExtensionId();
1432 if (inCertOID.equals(findOID)) {
1433 certExt = ex;
1434 break;
1435 }
1436 }
1437 } else { // there's sub-class that can handle this extension
1438 try {
1439 certExt = (Extension)this.get(extAlias);
1440 } catch (CertificateException e) {
1441 // get() throws an Exception instead of returning null, ignore
1442 }
1443 }
1444 if (certExt == null) {
1445 if (exts != null) {
1446 certExt = exts.getUnparseableExtensions().get(oid);
1447 }
1448 if (certExt == null) {
1449 return null;
1450 }
1451 }
1452 byte[] extData = certExt.getExtensionValue();
1453 if (extData == null) {
1454 return null;
1455 }
1456 DerOutputStream out = new DerOutputStream();
1457 out.putOctetString(extData);
1458 return out.toByteArray();
1459 } catch (Exception e) {
1460 return null;
1461 }
1462 }
1463
1464 /**
1465 * Get a boolean array representing the bits of the KeyUsage extension,
1466 * (oid = 2.5.29.15).
1467 * @return the bit values of this extension as an array of booleans.
1468 */
1469 public boolean[] getKeyUsage() {
1470 try {
1471 String extAlias = OIDMap.getName(PKIXExtensions.KeyUsage_Id);
1472 if (extAlias == null)
1473 return null;
1474
1475 KeyUsageExtension certExt = (KeyUsageExtension)this.get(extAlias);
1476 if (certExt == null)
1477 return null;
1478
1479 boolean[] ret = certExt.getBits();
1480 if (ret.length < NUM_STANDARD_KEY_USAGE) {
1481 boolean[] usageBits = new boolean[NUM_STANDARD_KEY_USAGE];
1482 System.arraycopy(ret, 0, usageBits, 0, ret.length);
1483 ret = usageBits;
1484 }
1485 return ret;
1486 } catch (Exception e) {
1487 return null;
1488 }
1489 }
1490
1491 /**
1492 * This method are the overridden implementation of
1493 * getExtendedKeyUsage method in X509Certificate in the Sun
1494 * provider. It is better performance-wise since it returns cached
1495 * values.
1496 */
1497 public synchronized List<String> getExtendedKeyUsage()
1498 throws CertificateParsingException {
1499 if (readOnly && extKeyUsage != null) {
1500 return extKeyUsage;
1501 } else {
1502 ExtendedKeyUsageExtension ext = getExtendedKeyUsageExtension();
1503 if (ext == null) {
1504 return null;
1505 }
1506 extKeyUsage =
1507 Collections.unmodifiableList(ext.getExtendedKeyUsage());
1508 return extKeyUsage;
1509 }
1510 }
1511
1512 /**
1513 * This static method is the default implementation of the
1514 * getExtendedKeyUsage method in X509Certificate. A
1515 * X509Certificate provider generally should overwrite this to
1516 * provide among other things caching for better performance.
1517 */
1518 public static List<String> getExtendedKeyUsage(X509Certificate cert)
1519 throws CertificateParsingException {
1520 try {
1521 byte[] ext = cert.getExtensionValue
1522 (KnownOIDs.extendedKeyUsage.value());
1523 if (ext == null)
1524 return null;
1525 DerValue val = new DerValue(ext);
1526 byte[] data = val.getOctetString();
1527
1528 ExtendedKeyUsageExtension ekuExt =
1529 new ExtendedKeyUsageExtension(Boolean.FALSE, data);
1530 return Collections.unmodifiableList(ekuExt.getExtendedKeyUsage());
1531 } catch (IOException ioe) {
1532 throw new CertificateParsingException(ioe);
1533 }
1534 }
1535
1536 /**
1537 * Get the certificate constraints path length from
1538 * the critical BasicConstraints extension, (oid = 2.5.29.19).
1539 * @return the length of the constraint.
1540 */
1541 public int getBasicConstraints() {
1542 try {
1543 String extAlias = OIDMap.getName(PKIXExtensions.BasicConstraints_Id);
1544 if (extAlias == null)
1545 return -1;
1546 BasicConstraintsExtension certExt =
1547 (BasicConstraintsExtension)this.get(extAlias);
1548 if (certExt == null)
1549 return -1;
1550
1551 if (((Boolean)certExt.get(BasicConstraintsExtension.IS_CA)
1552 ).booleanValue() == true)
1553 return ((Integer)certExt.get(
1554 BasicConstraintsExtension.PATH_LEN)).intValue();
1555 else
1556 return -1;
1557 } catch (Exception e) {
1558 return -1;
1559 }
1560 }
1561
1562 /**
1563 * Converts a GeneralNames structure into an immutable Collection of
1564 * alternative names (subject or issuer) in the form required by
1565 * {@link #getSubjectAlternativeNames} or
1566 * {@link #getIssuerAlternativeNames}.
1567 *
1568 * @param names the GeneralNames to be converted
1569 * @return an immutable Collection of alternative names
1570 */
1571 private static Collection<List<?>> makeAltNames(GeneralNames names) {
1572 if (names.isEmpty()) {
1573 return Collections.<List<?>>emptySet();
1574 }
1575 List<List<?>> newNames = new ArrayList<>();
1576 for (GeneralName gname : names.names()) {
1577 GeneralNameInterface name = gname.getName();
1578 List<Object> nameEntry = new ArrayList<>(2);
1579 nameEntry.add(Integer.valueOf(name.getType()));
1580 switch (name.getType()) {
1581 case GeneralNameInterface.NAME_RFC822:
1582 nameEntry.add(((RFC822Name) name).getName());
1583 break;
1584 case GeneralNameInterface.NAME_DNS:
1585 nameEntry.add(((DNSName) name).getName());
1586 break;
1587 case GeneralNameInterface.NAME_DIRECTORY:
1588 nameEntry.add(((X500Name) name).getRFC2253Name());
1589 break;
1590 case GeneralNameInterface.NAME_URI:
1591 nameEntry.add(((URIName) name).getName());
1592 break;
1593 case GeneralNameInterface.NAME_IP:
1594 try {
1595 nameEntry.add(((IPAddressName) name).getName());
1596 } catch (IOException ioe) {
1597 // IPAddressName in cert is bogus
1598 throw new RuntimeException("IPAddress cannot be parsed",
1599 ioe);
1600 }
1601 break;
1602 case GeneralNameInterface.NAME_OID:
1603 nameEntry.add(((OIDName) name).getOID().toString());
1604 break;
1605 default:
1606 // add DER encoded form
1607 DerOutputStream derOut = new DerOutputStream();
1608 try {
1609 name.encode(derOut);
1610 } catch (IOException ioe) {
1611 // should not occur since name has already been decoded
1612 // from cert (this would indicate a bug in our code)
1613 throw new RuntimeException("name cannot be encoded", ioe);
1614 }
1615 nameEntry.add(derOut.toByteArray());
1616 break;
1617 }
1618 newNames.add(Collections.unmodifiableList(nameEntry));
1619 }
1620 return Collections.unmodifiableCollection(newNames);
1621 }
1622
1623 /**
1624 * Checks a Collection of altNames and clones any name entries of type
1625 * byte [].
1626 */ // only partially generified due to javac bug
1627 private static Collection<List<?>> cloneAltNames(Collection<List<?>> altNames) {
1628 boolean mustClone = false;
1629 for (List<?> nameEntry : altNames) {
1630 if (nameEntry.get(1) instanceof byte[]) {
1631 // must clone names
1632 mustClone = true;
1633 }
1634 }
1635 if (mustClone) {
1636 List<List<?>> namesCopy = new ArrayList<>();
1637 for (List<?> nameEntry : altNames) {
1638 Object nameObject = nameEntry.get(1);
1639 if (nameObject instanceof byte[]) {
1640 List<Object> nameEntryCopy =
1641 new ArrayList<>(nameEntry);
1642 nameEntryCopy.set(1, ((byte[])nameObject).clone());
1643 namesCopy.add(Collections.unmodifiableList(nameEntryCopy));
1644 } else {
1645 namesCopy.add(nameEntry);
1646 }
1647 }
1648 return Collections.unmodifiableCollection(namesCopy);
1649 } else {
1650 return altNames;
1651 }
1652 }
1653
1654 /**
1655 * This method are the overridden implementation of
1656 * getSubjectAlternativeNames method in X509Certificate in the Sun
1657 * provider. It is better performance-wise since it returns cached
1658 * values.
1659 */
1660 public synchronized Collection<List<?>> getSubjectAlternativeNames()
1661 throws CertificateParsingException {
1662 // return cached value if we can
1663 if (readOnly && subjectAlternativeNames != null) {
1664 return cloneAltNames(subjectAlternativeNames);
1665 }
1666 SubjectAlternativeNameExtension subjectAltNameExt =
1667 getSubjectAlternativeNameExtension();
1668 if (subjectAltNameExt == null) {
1669 return null;
1670 }
1671 GeneralNames names;
1672 try {
1673 names = subjectAltNameExt.get(
1674 SubjectAlternativeNameExtension.SUBJECT_NAME);
1675 } catch (IOException ioe) {
1676 // should not occur
1677 return Collections.<List<?>>emptySet();
1678 }
1679 subjectAlternativeNames = makeAltNames(names);
1680 return subjectAlternativeNames;
1681 }
1682
1683 /**
1684 * This static method is the default implementation of the
1685 * getSubjectAlternaitveNames method in X509Certificate. A
1686 * X509Certificate provider generally should overwrite this to
1687 * provide among other things caching for better performance.
1688 */
1689 public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
1690 throws CertificateParsingException {
1691 try {
1692 byte[] ext = cert.getExtensionValue
1693 (KnownOIDs.SubjectAlternativeName.value());
1694 if (ext == null) {
1695 return null;
1696 }
1697 DerValue val = new DerValue(ext);
1698 byte[] data = val.getOctetString();
1699
1700 SubjectAlternativeNameExtension subjectAltNameExt =
1701 new SubjectAlternativeNameExtension(Boolean.FALSE,
1702 data);
1703
1704 GeneralNames names;
1705 try {
1706 names = subjectAltNameExt.get(
1707 SubjectAlternativeNameExtension.SUBJECT_NAME);
1708 } catch (IOException ioe) {
1709 // should not occur
1710 return Collections.<List<?>>emptySet();
1711 }
1712 return makeAltNames(names);
1713 } catch (IOException ioe) {
1714 throw new CertificateParsingException(ioe);
1715 }
1716 }
1717
1718 /**
1719 * This method are the overridden implementation of
1720 * getIssuerAlternativeNames method in X509Certificate in the Sun
1721 * provider. It is better performance-wise since it returns cached
1722 * values.
1723 */
1724 public synchronized Collection<List<?>> getIssuerAlternativeNames()
1725 throws CertificateParsingException {
1726 // return cached value if we can
1727 if (readOnly && issuerAlternativeNames != null) {
1728 return cloneAltNames(issuerAlternativeNames);
1729 }
1730 IssuerAlternativeNameExtension issuerAltNameExt =
1731 getIssuerAlternativeNameExtension();
1732 if (issuerAltNameExt == null) {
1733 return null;
1734 }
1735 GeneralNames names;
1736 try {
1737 names = issuerAltNameExt.get(
1738 IssuerAlternativeNameExtension.ISSUER_NAME);
1739 } catch (IOException ioe) {
1740 // should not occur
1741 return Collections.<List<?>>emptySet();
1742 }
1743 issuerAlternativeNames = makeAltNames(names);
1744 return issuerAlternativeNames;
1745 }
1746
1747 /**
1748 * This static method is the default implementation of the
1749 * getIssuerAlternaitveNames method in X509Certificate. A
1750 * X509Certificate provider generally should overwrite this to
1751 * provide among other things caching for better performance.
1752 */
1753 public static Collection<List<?>> getIssuerAlternativeNames(X509Certificate cert)
1754 throws CertificateParsingException {
1755 try {
1756 byte[] ext = cert.getExtensionValue
1757 (KnownOIDs.IssuerAlternativeName.value());
1758 if (ext == null) {
1759 return null;
1760 }
1761
1762 DerValue val = new DerValue(ext);
1763 byte[] data = val.getOctetString();
1764
1765 IssuerAlternativeNameExtension issuerAltNameExt =
1766 new IssuerAlternativeNameExtension(Boolean.FALSE,
1767 data);
1768 GeneralNames names;
1769 try {
1770 names = issuerAltNameExt.get(
1771 IssuerAlternativeNameExtension.ISSUER_NAME);
1772 } catch (IOException ioe) {
1773 // should not occur
1774 return Collections.<List<?>>emptySet();
1775 }
1776 return makeAltNames(names);
1777 } catch (IOException ioe) {
1778 throw new CertificateParsingException(ioe);
1779 }
1780 }
1781
1782 public AuthorityInfoAccessExtension getAuthorityInfoAccessExtension() {
1783 return (AuthorityInfoAccessExtension)
1784 getExtension(PKIXExtensions.AuthInfoAccess_Id);
1785 }
1786
1787 /************************************************************/
1788
1789 /*
1790 * Cert is a SIGNED ASN.1 macro, a three elment sequence:
1791 *
1792 * - Data to be signed (ToBeSigned) -- the "raw" cert
1793 * - Signature algorithm (SigAlgId)
1794 * - The signature bits
1795 *
1796 * This routine unmarshals the certificate, saving the signature
1797 * parts away for later verification.
1798 */
1799 private void parse(DerValue val)
1800 throws CertificateException, IOException {
1801 // check if can over write the certificate
1802 if (readOnly)
1803 throw new CertificateParsingException(
1804 "cannot over-write existing certificate");
1805
1806 if (val.data == null || val.tag != DerValue.tag_Sequence)
1807 throw new CertificateParsingException(
1808 "invalid DER-encoded certificate data");
1809
1810 signedCert = val.toByteArray();
1811 DerValue[] seq = new DerValue[3];
1812
1813 seq[0] = val.data.getDerValue();
1814 seq[1] = val.data.getDerValue();
1815 seq[2] = val.data.getDerValue();
1816
1817 if (val.data.available() != 0) {
1818 throw new CertificateParsingException("signed overrun, bytes = "
1819 + val.data.available());
1820 }
1821 if (seq[0].tag != DerValue.tag_Sequence) {
1822 throw new CertificateParsingException("signed fields invalid");
1823 }
1824
1825 algId = AlgorithmId.parse(seq[1]);
1826 signature = seq[2].getBitString();
1827
1828 if (seq[1].data.available() != 0) {
1829 throw new CertificateParsingException("algid field overrun");
1830 }
1831 if (seq[2].data.available() != 0)
1832 throw new CertificateParsingException("signed fields overrun");
1833
1834 // The CertificateInfo
1835 info = new X509CertInfo(seq[0]);
1836
1837 // the "inner" and "outer" signature algorithms must match
1838 AlgorithmId infoSigAlg = (AlgorithmId)info.get(
1839 CertificateAlgorithmId.NAME
1840 + DOT +
1841 CertificateAlgorithmId.ALGORITHM);
1842 if (! algId.equals(infoSigAlg))
1843 throw new CertificateException("Signature algorithm mismatch");
1844 readOnly = true;
1845 }
1846
1847 /**
1848 * Extract the subject or issuer X500Principal from an X509Certificate.
1849 * Parses the encoded form of the cert to preserve the principal's
1850 * ASN.1 encoding.
1851 */
1852 private static X500Principal getX500Principal(X509Certificate cert,
1853 boolean getIssuer) throws Exception {
1854 byte[] encoded = cert.getEncoded();
1855 DerInputStream derIn = new DerInputStream(encoded);
1856 DerValue tbsCert = derIn.getSequence(3)[0];
1857 DerInputStream tbsIn = tbsCert.data;
1858 DerValue tmp;
1859 tmp = tbsIn.getDerValue();
1860 // skip version number if present
1861 if (tmp.isContextSpecific((byte)0)) {
1862 tmp = tbsIn.getDerValue();
1863 }
1864 // tmp always contains serial number now
1865 tmp = tbsIn.getDerValue(); // skip signature
1866 tmp = tbsIn.getDerValue(); // issuer
1867 if (getIssuer == false) {
1868 tmp = tbsIn.getDerValue(); // skip validity
1869 tmp = tbsIn.getDerValue(); // subject
1870 }
1871 byte[] principalBytes = tmp.toByteArray();
1872 return new X500Principal(principalBytes);
1873 }
1874
1875 /**
1876 * Extract the subject X500Principal from an X509Certificate.
1877 * Called from java.security.cert.X509Certificate.getSubjectX500Principal().
1878 */
1879 public static X500Principal getSubjectX500Principal(X509Certificate cert) {
1880 try {
1881 return getX500Principal(cert, false);
1882 } catch (Exception e) {
1883 throw new RuntimeException("Could not parse subject", e);
1884 }
1885 }
1886
1887 /**
1888 * Extract the issuer X500Principal from an X509Certificate.
1889 * Called from java.security.cert.X509Certificate.getIssuerX500Principal().
1890 */
1891 public static X500Principal getIssuerX500Principal(X509Certificate cert) {
1892 try {
1893 return getX500Principal(cert, true);
1894 } catch (Exception e) {
1895 throw new RuntimeException("Could not parse issuer", e);
1896 }
1897 }
1898
1899 /**
1900 * Returned the encoding of the given certificate for internal use.
1901 * Callers must guarantee that they neither modify it nor expose it
1902 * to untrusted code. Uses getEncodedInternal() if the certificate
1903 * is instance of X509CertImpl, getEncoded() otherwise.
1904 */
1905 public static byte[] getEncodedInternal(Certificate cert)
1906 throws CertificateEncodingException {
1907 if (cert instanceof X509CertImpl) {
1908 return ((X509CertImpl)cert).getEncodedInternal();
1909 } else {
1910 return cert.getEncoded();
1911 }
1912 }
1913
1914 /**
1915 * Utility method to convert an arbitrary instance of X509Certificate
1916 * to a X509CertImpl. Does a cast if possible, otherwise reparses
1917 * the encoding.
1918 */
1919 public static X509CertImpl toImpl(X509Certificate cert)
1920 throws CertificateException {
1921 if (cert instanceof X509CertImpl) {
1922 return (X509CertImpl)cert;
1923 } else {
1924 return X509Factory.intern(cert);
1925 }
1926 }
1927
1928 /**
1929 * Utility method to test if a certificate is self-issued. This is
1930 * the case iff the subject and issuer X500Principals are equal.
1931 */
1932 public static boolean isSelfIssued(X509Certificate cert) {
1933 X500Principal subject = cert.getSubjectX500Principal();
1934 X500Principal issuer = cert.getIssuerX500Principal();
1935 return subject.equals(issuer);
1936 }
1937
1938 /**
1939 * Utility method to test if a certificate is self-signed. This is
1940 * the case iff the subject and issuer X500Principals are equal
1941 * AND the certificate's subject public key can be used to verify
1942 * the certificate. In case of exception, returns false.
1943 */
1944 public static boolean isSelfSigned(X509Certificate cert,
1945 String sigProvider) {
1946 if (isSelfIssued(cert)) {
1947 try {
1948 if (sigProvider == null) {
1949 cert.verify(cert.getPublicKey());
1950 } else {
1951 cert.verify(cert.getPublicKey(), sigProvider);
1952 }
1953 return true;
1954 } catch (Exception e) {
1955 // In case of exception, return false
1956 }
1957 }
1958 return false;
1959 }
1960
1961 private ConcurrentHashMap<String,String> fingerprints =
1962 new ConcurrentHashMap<>(2);
1963
1964 public String getFingerprint(String algorithm) {
1965 return fingerprints.computeIfAbsent(algorithm,
1966 x -> getFingerprint(x, this));
1967 }
1968
1969 /**
1970 * Gets the requested finger print of the certificate. The result
1971 * only contains 0-9 and A-F. No small case, no colon.
1972 */
1973 public static String getFingerprint(String algorithm,
1974 X509Certificate cert) {
1975 try {
1976 byte[] encCertInfo = cert.getEncoded();
1977 MessageDigest md = MessageDigest.getInstance(algorithm);
1978 byte[] digest = md.digest(encCertInfo);
1979 StringBuilder sb = new StringBuilder(digest.length * 2);
1980 for (int i = 0; i < digest.length; i++) {
1981 byte2hex(digest[i], sb);
1982 }
1983 return sb.toString();
1984 } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
1985 // ignored
1986 }
1987 return "";
1988 }
1989
1990 /**
1991 * Converts a byte to hex digit and writes to the supplied builder
1992 */
1993 private static void byte2hex(byte b, StringBuilder buf) {
1994 char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
1995 '9', 'A', 'B', 'C', 'D', 'E', 'F' };
1996 int high = ((b & 0xf0) >> 4);
1997 int low = (b & 0x0f);
1998 buf.append(hexChars[high])
1999 .append(hexChars[low]);
2000 }
2001 }