114
115 host = uri.getHost();
116 // RFC 3280 says that the host should be non-null, but we allow it to
117 // be null because some widely deployed certificates contain CDP
118 // extensions with URIs that have no hostname (see bugs 4802236 and
119 // 5107944).
120 if (host != null) {
121 if (host.charAt(0) == '[') {
122 // Verify host is a valid IPv6 address name
123 String ipV6Host = host.substring(1, host.length()-1);
124 try {
125 hostIP = new IPAddressName(ipV6Host);
126 } catch (IOException ioe) {
127 throw new IOException("invalid URI name (host " +
128 "portion is not a valid IPv6 address):" + name);
129 }
130 } else {
131 try {
132 hostDNS = new DNSName(host);
133 } catch (IOException ioe) {
134 // Not a valid DNS Name; see if it is a valid IPv4
135 // IPAddressName
136 try {
137 hostIP = new IPAddressName(host);
138 } catch (Exception ioe2) {
139 throw new IOException("invalid URI name (host " +
140 "portion is not a valid DNS name, IPv4 address," +
141 " or IPv6 address):" + name);
142 }
143 }
144 }
145 }
146 }
147
148 /**
149 * Create the URIName object with the specified name constraint. URI
150 * name constraints syntax is different than SubjectAltNames, etc. See
151 * 4.2.1.11 of RFC 3280.
152 *
153 * @param value the URI name constraint
154 * @throws IOException if name is not a proper URI name constraint
155 */
156 public static URIName nameConstraint(DerValue value) throws IOException {
157 URI uri;
158 String name = value.getIA5String();
159 try {
160 uri = new URI(name);
322 } else if (inputName.getType() != NAME_URI) {
323 constraintType = NAME_DIFF_TYPE;
324 } else {
325 // Assuming from here on that one or both of these is
326 // actually a URI name constraint (not a URI), so we
327 // only need to compare the host portion of the name
328
329 String otherHost = ((URIName)inputName).getHost();
330
331 // Quick check for equality
332 if (otherHost.equalsIgnoreCase(host)) {
333 constraintType = NAME_MATCH;
334 } else {
335 Object otherHostObject = ((URIName)inputName).getHostObject();
336
337 if ((hostDNS == null) ||
338 !(otherHostObject instanceof DNSName)) {
339 // If one (or both) is an IP address, only same type
340 constraintType = NAME_SAME_TYPE;
341 } else {
342 // Both host portions are DNS names. Are they domains?
343 boolean thisDomain = (host.charAt(0) == '.');
344 boolean otherDomain = (otherHost.charAt(0) == '.');
345 DNSName otherDNS = (DNSName) otherHostObject;
346
347 // Run DNSName.constrains.
348 constraintType = hostDNS.constrains(otherDNS);
349 // If neither one is a domain, then they can't
350 // widen or narrow. That's just SAME_TYPE.
351 if ((!thisDomain && !otherDomain) &&
352 ((constraintType == NAME_WIDENS) ||
353 (constraintType == NAME_NARROWS))) {
354 constraintType = NAME_SAME_TYPE;
355 }
356
357 // If one is a domain and the other isn't,
358 // then they can't match. The one that's a
359 // domain doesn't include the one that's
360 // not a domain.
361 if ((thisDomain != otherDomain) &&
362 (constraintType == NAME_MATCH)) {
|
114
115 host = uri.getHost();
116 // RFC 3280 says that the host should be non-null, but we allow it to
117 // be null because some widely deployed certificates contain CDP
118 // extensions with URIs that have no hostname (see bugs 4802236 and
119 // 5107944).
120 if (host != null) {
121 if (host.charAt(0) == '[') {
122 // Verify host is a valid IPv6 address name
123 String ipV6Host = host.substring(1, host.length()-1);
124 try {
125 hostIP = new IPAddressName(ipV6Host);
126 } catch (IOException ioe) {
127 throw new IOException("invalid URI name (host " +
128 "portion is not a valid IPv6 address):" + name);
129 }
130 } else {
131 try {
132 hostDNS = new DNSName(host);
133 } catch (IOException ioe) {
134 // Not a valid DNSName; see if it is a valid IPv4
135 // IPAddressName
136 try {
137 hostIP = new IPAddressName(host);
138 } catch (Exception ioe2) {
139 throw new IOException("invalid URI name (host " +
140 "portion is not a valid DNSName, IPv4 address," +
141 " or IPv6 address):" + name);
142 }
143 }
144 }
145 }
146 }
147
148 /**
149 * Create the URIName object with the specified name constraint. URI
150 * name constraints syntax is different than SubjectAltNames, etc. See
151 * 4.2.1.11 of RFC 3280.
152 *
153 * @param value the URI name constraint
154 * @throws IOException if name is not a proper URI name constraint
155 */
156 public static URIName nameConstraint(DerValue value) throws IOException {
157 URI uri;
158 String name = value.getIA5String();
159 try {
160 uri = new URI(name);
322 } else if (inputName.getType() != NAME_URI) {
323 constraintType = NAME_DIFF_TYPE;
324 } else {
325 // Assuming from here on that one or both of these is
326 // actually a URI name constraint (not a URI), so we
327 // only need to compare the host portion of the name
328
329 String otherHost = ((URIName)inputName).getHost();
330
331 // Quick check for equality
332 if (otherHost.equalsIgnoreCase(host)) {
333 constraintType = NAME_MATCH;
334 } else {
335 Object otherHostObject = ((URIName)inputName).getHostObject();
336
337 if ((hostDNS == null) ||
338 !(otherHostObject instanceof DNSName)) {
339 // If one (or both) is an IP address, only same type
340 constraintType = NAME_SAME_TYPE;
341 } else {
342 // Both host portions are DNSNames. Are they domains?
343 boolean thisDomain = (host.charAt(0) == '.');
344 boolean otherDomain = (otherHost.charAt(0) == '.');
345 DNSName otherDNS = (DNSName) otherHostObject;
346
347 // Run DNSName.constrains.
348 constraintType = hostDNS.constrains(otherDNS);
349 // If neither one is a domain, then they can't
350 // widen or narrow. That's just SAME_TYPE.
351 if ((!thisDomain && !otherDomain) &&
352 ((constraintType == NAME_WIDENS) ||
353 (constraintType == NAME_NARROWS))) {
354 constraintType = NAME_SAME_TYPE;
355 }
356
357 // If one is a domain and the other isn't,
358 // then they can't match. The one that's a
359 // domain doesn't include the one that's
360 // not a domain.
361 if ((thisDomain != otherDomain) &&
362 (constraintType == NAME_MATCH)) {
|