959 lines
32 KiB
Java
959 lines
32 KiB
Java
/*
|
|
* Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
package sun.security.x509;
|
|
|
|
import java.io.IOException;
|
|
import java.io.OutputStream;
|
|
|
|
import java.security.cert.*;
|
|
import java.util.*;
|
|
|
|
import sun.security.util.*;
|
|
import sun.misc.HexDumpEncoder;
|
|
|
|
|
|
/**
|
|
* The X509CertInfo class represents X.509 certificate information.
|
|
*
|
|
* <P>X.509 certificates have several base data elements, including:<UL>
|
|
*
|
|
* <LI>The <em>Subject Name</em>, an X.500 Distinguished Name for
|
|
* the entity (subject) for which the certificate was issued.
|
|
*
|
|
* <LI>The <em>Subject Public Key</em>, the public key of the subject.
|
|
* This is one of the most important parts of the certificate.
|
|
*
|
|
* <LI>The <em>Validity Period</em>, a time period (e.g. six months)
|
|
* within which the certificate is valid (unless revoked).
|
|
*
|
|
* <LI>The <em>Issuer Name</em>, an X.500 Distinguished Name for the
|
|
* Certificate Authority (CA) which issued the certificate.
|
|
*
|
|
* <LI>A <em>Serial Number</em> assigned by the CA, for use in
|
|
* certificate revocation and other applications.
|
|
*
|
|
* @author Amit Kapoor
|
|
* @author Hemma Prafullchandra
|
|
* @see CertAttrSet
|
|
* @see X509CertImpl
|
|
*/
|
|
public class X509CertInfo implements CertAttrSet<String> {
|
|
/**
|
|
* Identifier for this attribute, to be used with the
|
|
* get, set, delete methods of Certificate, x509 type.
|
|
*/
|
|
public static final String IDENT = "x509.info";
|
|
// Certificate attribute names
|
|
public static final String NAME = "info";
|
|
public static final String DN_NAME = "dname";
|
|
public static final String VERSION = CertificateVersion.NAME;
|
|
public static final String SERIAL_NUMBER = CertificateSerialNumber.NAME;
|
|
public static final String ALGORITHM_ID = CertificateAlgorithmId.NAME;
|
|
public static final String ISSUER = "issuer";
|
|
public static final String SUBJECT = "subject";
|
|
public static final String VALIDITY = CertificateValidity.NAME;
|
|
public static final String KEY = CertificateX509Key.NAME;
|
|
public static final String ISSUER_ID = "issuerID";
|
|
public static final String SUBJECT_ID = "subjectID";
|
|
public static final String EXTENSIONS = CertificateExtensions.NAME;
|
|
|
|
// X509.v1 data
|
|
protected CertificateVersion version = new CertificateVersion();
|
|
protected CertificateSerialNumber serialNum = null;
|
|
protected CertificateAlgorithmId algId = null;
|
|
protected X500Name issuer = null;
|
|
protected X500Name subject = null;
|
|
protected CertificateValidity interval = null;
|
|
protected CertificateX509Key pubKey = null;
|
|
|
|
// X509.v2 & v3 extensions
|
|
protected UniqueIdentity issuerUniqueId = null;
|
|
protected UniqueIdentity subjectUniqueId = null;
|
|
|
|
// X509.v3 extensions
|
|
protected CertificateExtensions extensions = null;
|
|
|
|
// Attribute numbers for internal manipulation
|
|
private static final int ATTR_VERSION = 1;
|
|
private static final int ATTR_SERIAL = 2;
|
|
private static final int ATTR_ALGORITHM = 3;
|
|
private static final int ATTR_ISSUER = 4;
|
|
private static final int ATTR_VALIDITY = 5;
|
|
private static final int ATTR_SUBJECT = 6;
|
|
private static final int ATTR_KEY = 7;
|
|
private static final int ATTR_ISSUER_ID = 8;
|
|
private static final int ATTR_SUBJECT_ID = 9;
|
|
private static final int ATTR_EXTENSIONS = 10;
|
|
|
|
// DER encoded CertificateInfo data
|
|
private byte[] rawCertInfo = null;
|
|
|
|
// The certificate attribute name to integer mapping stored here
|
|
private static final Map<String,Integer> map = new HashMap<String,Integer>();
|
|
static {
|
|
map.put(VERSION, Integer.valueOf(ATTR_VERSION));
|
|
map.put(SERIAL_NUMBER, Integer.valueOf(ATTR_SERIAL));
|
|
map.put(ALGORITHM_ID, Integer.valueOf(ATTR_ALGORITHM));
|
|
map.put(ISSUER, Integer.valueOf(ATTR_ISSUER));
|
|
map.put(VALIDITY, Integer.valueOf(ATTR_VALIDITY));
|
|
map.put(SUBJECT, Integer.valueOf(ATTR_SUBJECT));
|
|
map.put(KEY, Integer.valueOf(ATTR_KEY));
|
|
map.put(ISSUER_ID, Integer.valueOf(ATTR_ISSUER_ID));
|
|
map.put(SUBJECT_ID, Integer.valueOf(ATTR_SUBJECT_ID));
|
|
map.put(EXTENSIONS, Integer.valueOf(ATTR_EXTENSIONS));
|
|
}
|
|
|
|
/**
|
|
* Construct an uninitialized X509CertInfo on which <a href="#decode">
|
|
* decode</a> must later be called (or which may be deserialized).
|
|
*/
|
|
public X509CertInfo() { }
|
|
|
|
/**
|
|
* Unmarshals a certificate from its encoded form, parsing the
|
|
* encoded bytes. This form of constructor is used by agents which
|
|
* need to examine and use certificate contents. That is, this is
|
|
* one of the more commonly used constructors. Note that the buffer
|
|
* must include only a certificate, and no "garbage" may be left at
|
|
* the end. If you need to ignore data at the end of a certificate,
|
|
* use another constructor.
|
|
*
|
|
* @param cert the encoded bytes, with no trailing data.
|
|
* @exception CertificateParsingException on parsing errors.
|
|
*/
|
|
public X509CertInfo(byte[] cert) throws CertificateParsingException {
|
|
try {
|
|
DerValue in = new DerValue(cert);
|
|
|
|
parse(in);
|
|
} catch (IOException e) {
|
|
throw new CertificateParsingException(e);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Unmarshal a certificate from its encoded form, parsing a DER value.
|
|
* This form of constructor is used by agents which need to examine
|
|
* and use certificate contents.
|
|
*
|
|
* @param derVal the der value containing the encoded cert.
|
|
* @exception CertificateParsingException on parsing errors.
|
|
*/
|
|
public X509CertInfo(DerValue derVal) throws CertificateParsingException {
|
|
try {
|
|
parse(derVal);
|
|
} catch (IOException e) {
|
|
throw new CertificateParsingException(e);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Appends the certificate to an output stream.
|
|
*
|
|
* @param out an output stream to which the certificate is appended.
|
|
* @exception CertificateException on encoding errors.
|
|
* @exception IOException on other errors.
|
|
*/
|
|
public void encode(OutputStream out)
|
|
throws CertificateException, IOException {
|
|
if (rawCertInfo == null) {
|
|
DerOutputStream tmp = new DerOutputStream();
|
|
emit(tmp);
|
|
rawCertInfo = tmp.toByteArray();
|
|
}
|
|
out.write(rawCertInfo.clone());
|
|
}
|
|
|
|
/**
|
|
* Return an enumeration of names of attributes existing within this
|
|
* attribute.
|
|
*/
|
|
public Enumeration<String> getElements() {
|
|
AttributeNameEnumeration elements = new AttributeNameEnumeration();
|
|
elements.addElement(VERSION);
|
|
elements.addElement(SERIAL_NUMBER);
|
|
elements.addElement(ALGORITHM_ID);
|
|
elements.addElement(ISSUER);
|
|
elements.addElement(VALIDITY);
|
|
elements.addElement(SUBJECT);
|
|
elements.addElement(KEY);
|
|
elements.addElement(ISSUER_ID);
|
|
elements.addElement(SUBJECT_ID);
|
|
elements.addElement(EXTENSIONS);
|
|
|
|
return elements.elements();
|
|
}
|
|
|
|
/**
|
|
* Return the name of this attribute.
|
|
*/
|
|
public String getName() {
|
|
return(NAME);
|
|
}
|
|
|
|
/**
|
|
* Returns the encoded certificate info.
|
|
*
|
|
* @exception CertificateEncodingException on encoding information errors.
|
|
*/
|
|
public byte[] getEncodedInfo() throws CertificateEncodingException {
|
|
try {
|
|
if (rawCertInfo == null) {
|
|
DerOutputStream tmp = new DerOutputStream();
|
|
emit(tmp);
|
|
rawCertInfo = tmp.toByteArray();
|
|
}
|
|
return rawCertInfo.clone();
|
|
} catch (IOException e) {
|
|
throw new CertificateEncodingException(e.toString());
|
|
} catch (CertificateException e) {
|
|
throw new CertificateEncodingException(e.toString());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Compares two X509CertInfo objects. This is false if the
|
|
* certificates are not both X.509 certs, otherwise it
|
|
* compares them as binary data.
|
|
*
|
|
* @param other the object being compared with this one
|
|
* @return true iff the certificates are equivalent
|
|
*/
|
|
public boolean equals(Object other) {
|
|
if (other instanceof X509CertInfo) {
|
|
return equals((X509CertInfo) other);
|
|
} else {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Compares two certificates, returning false if any data
|
|
* differs between the two.
|
|
*
|
|
* @param other the object being compared with this one
|
|
* @return true iff the certificates are equivalent
|
|
*/
|
|
public boolean equals(X509CertInfo other) {
|
|
if (this == other) {
|
|
return(true);
|
|
} else if (rawCertInfo == null || other.rawCertInfo == null) {
|
|
return(false);
|
|
} else if (rawCertInfo.length != other.rawCertInfo.length) {
|
|
return(false);
|
|
}
|
|
for (int i = 0; i < rawCertInfo.length; i++) {
|
|
if (rawCertInfo[i] != other.rawCertInfo[i]) {
|
|
return(false);
|
|
}
|
|
}
|
|
return(true);
|
|
}
|
|
|
|
/**
|
|
* Calculates a hash code value for the object. Objects
|
|
* which are equal will also have the same hashcode.
|
|
*/
|
|
public int hashCode() {
|
|
int retval = 0;
|
|
|
|
for (int i = 1; i < rawCertInfo.length; i++) {
|
|
retval += rawCertInfo[i] * i;
|
|
}
|
|
return(retval);
|
|
}
|
|
|
|
/**
|
|
* Returns a printable representation of the certificate.
|
|
*/
|
|
public String toString() {
|
|
|
|
if (subject == null || pubKey == null || interval == null
|
|
|| issuer == null || algId == null || serialNum == null) {
|
|
throw new NullPointerException("X.509 cert is incomplete");
|
|
}
|
|
StringBuilder sb = new StringBuilder();
|
|
|
|
sb.append("[\n");
|
|
sb.append(" " + version.toString() + "\n");
|
|
sb.append(" Subject: " + subject.toString() + "\n");
|
|
sb.append(" Signature Algorithm: " + algId.toString() + "\n");
|
|
sb.append(" Key: " + pubKey.toString() + "\n");
|
|
sb.append(" " + interval.toString() + "\n");
|
|
sb.append(" Issuer: " + issuer.toString() + "\n");
|
|
sb.append(" " + serialNum.toString() + "\n");
|
|
|
|
// optional v2, v3 extras
|
|
if (issuerUniqueId != null) {
|
|
sb.append(" Issuer Id:\n" + issuerUniqueId.toString() + "\n");
|
|
}
|
|
if (subjectUniqueId != null) {
|
|
sb.append(" Subject Id:\n" + subjectUniqueId.toString() + "\n");
|
|
}
|
|
if (extensions != null) {
|
|
Collection<Extension> allExts = extensions.getAllExtensions();
|
|
Extension[] exts = allExts.toArray(new Extension[0]);
|
|
sb.append("\nCertificate Extensions: " + exts.length);
|
|
for (int i = 0; i < exts.length; i++) {
|
|
sb.append("\n[" + (i+1) + "]: ");
|
|
Extension ext = exts[i];
|
|
try {
|
|
if (OIDMap.getClass(ext.getExtensionId()) == null) {
|
|
sb.append(ext.toString());
|
|
byte[] extValue = ext.getExtensionValue();
|
|
if (extValue != null) {
|
|
DerOutputStream out = new DerOutputStream();
|
|
out.putOctetString(extValue);
|
|
extValue = out.toByteArray();
|
|
HexDumpEncoder enc = new HexDumpEncoder();
|
|
sb.append("Extension unknown: "
|
|
+ "DER encoded OCTET string =\n"
|
|
+ enc.encodeBuffer(extValue) + "\n");
|
|
}
|
|
} else
|
|
sb.append(ext.toString()); //sub-class exists
|
|
} catch (Exception e) {
|
|
sb.append(", Error parsing this extension");
|
|
}
|
|
}
|
|
Map<String,Extension> invalid = extensions.getUnparseableExtensions();
|
|
if (invalid.isEmpty() == false) {
|
|
sb.append("\nUnparseable certificate extensions: " + invalid.size());
|
|
int i = 1;
|
|
for (Extension ext : invalid.values()) {
|
|
sb.append("\n[" + (i++) + "]: ");
|
|
sb.append(ext);
|
|
}
|
|
}
|
|
}
|
|
sb.append("\n]");
|
|
return sb.toString();
|
|
}
|
|
|
|
/**
|
|
* Set the certificate attribute.
|
|
*
|
|
* @params name the name of the Certificate attribute.
|
|
* @params val the value of the Certificate attribute.
|
|
* @exception CertificateException on invalid attributes.
|
|
* @exception IOException on other errors.
|
|
*/
|
|
public void set(String name, Object val)
|
|
throws CertificateException, IOException {
|
|
X509AttributeName attrName = new X509AttributeName(name);
|
|
|
|
int attr = attributeMap(attrName.getPrefix());
|
|
if (attr == 0) {
|
|
throw new CertificateException("Attribute name not recognized: "
|
|
+ name);
|
|
}
|
|
// set rawCertInfo to null, so that we are forced to re-encode
|
|
rawCertInfo = null;
|
|
String suffix = attrName.getSuffix();
|
|
|
|
switch (attr) {
|
|
case ATTR_VERSION:
|
|
if (suffix == null) {
|
|
setVersion(val);
|
|
} else {
|
|
version.set(suffix, val);
|
|
}
|
|
break;
|
|
|
|
case ATTR_SERIAL:
|
|
if (suffix == null) {
|
|
setSerialNumber(val);
|
|
} else {
|
|
serialNum.set(suffix, val);
|
|
}
|
|
break;
|
|
|
|
case ATTR_ALGORITHM:
|
|
if (suffix == null) {
|
|
setAlgorithmId(val);
|
|
} else {
|
|
algId.set(suffix, val);
|
|
}
|
|
break;
|
|
|
|
case ATTR_ISSUER:
|
|
setIssuer(val);
|
|
break;
|
|
|
|
case ATTR_VALIDITY:
|
|
if (suffix == null) {
|
|
setValidity(val);
|
|
} else {
|
|
interval.set(suffix, val);
|
|
}
|
|
break;
|
|
|
|
case ATTR_SUBJECT:
|
|
setSubject(val);
|
|
break;
|
|
|
|
case ATTR_KEY:
|
|
if (suffix == null) {
|
|
setKey(val);
|
|
} else {
|
|
pubKey.set(suffix, val);
|
|
}
|
|
break;
|
|
|
|
case ATTR_ISSUER_ID:
|
|
setIssuerUniqueId(val);
|
|
break;
|
|
|
|
case ATTR_SUBJECT_ID:
|
|
setSubjectUniqueId(val);
|
|
break;
|
|
|
|
case ATTR_EXTENSIONS:
|
|
if (suffix == null) {
|
|
setExtensions(val);
|
|
} else {
|
|
if (extensions == null)
|
|
extensions = new CertificateExtensions();
|
|
extensions.set(suffix, val);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Delete the certificate attribute.
|
|
*
|
|
* @params name the name of the Certificate attribute.
|
|
* @exception CertificateException on invalid attributes.
|
|
* @exception IOException on other errors.
|
|
*/
|
|
public void delete(String name)
|
|
throws CertificateException, IOException {
|
|
X509AttributeName attrName = new X509AttributeName(name);
|
|
|
|
int attr = attributeMap(attrName.getPrefix());
|
|
if (attr == 0) {
|
|
throw new CertificateException("Attribute name not recognized: "
|
|
+ name);
|
|
}
|
|
// set rawCertInfo to null, so that we are forced to re-encode
|
|
rawCertInfo = null;
|
|
String suffix = attrName.getSuffix();
|
|
|
|
switch (attr) {
|
|
case ATTR_VERSION:
|
|
if (suffix == null) {
|
|
version = null;
|
|
} else {
|
|
version.delete(suffix);
|
|
}
|
|
break;
|
|
case (ATTR_SERIAL):
|
|
if (suffix == null) {
|
|
serialNum = null;
|
|
} else {
|
|
serialNum.delete(suffix);
|
|
}
|
|
break;
|
|
case (ATTR_ALGORITHM):
|
|
if (suffix == null) {
|
|
algId = null;
|
|
} else {
|
|
algId.delete(suffix);
|
|
}
|
|
break;
|
|
case (ATTR_ISSUER):
|
|
issuer = null;
|
|
break;
|
|
case (ATTR_VALIDITY):
|
|
if (suffix == null) {
|
|
interval = null;
|
|
} else {
|
|
interval.delete(suffix);
|
|
}
|
|
break;
|
|
case (ATTR_SUBJECT):
|
|
subject = null;
|
|
break;
|
|
case (ATTR_KEY):
|
|
if (suffix == null) {
|
|
pubKey = null;
|
|
} else {
|
|
pubKey.delete(suffix);
|
|
}
|
|
break;
|
|
case (ATTR_ISSUER_ID):
|
|
issuerUniqueId = null;
|
|
break;
|
|
case (ATTR_SUBJECT_ID):
|
|
subjectUniqueId = null;
|
|
break;
|
|
case (ATTR_EXTENSIONS):
|
|
if (suffix == null) {
|
|
extensions = null;
|
|
} else {
|
|
if (extensions != null)
|
|
extensions.delete(suffix);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get the certificate attribute.
|
|
*
|
|
* @params name the name of the Certificate attribute.
|
|
*
|
|
* @exception CertificateException on invalid attributes.
|
|
* @exception IOException on other errors.
|
|
*/
|
|
public Object get(String name)
|
|
throws CertificateException, IOException {
|
|
X509AttributeName attrName = new X509AttributeName(name);
|
|
|
|
int attr = attributeMap(attrName.getPrefix());
|
|
if (attr == 0) {
|
|
throw new CertificateParsingException(
|
|
"Attribute name not recognized: " + name);
|
|
}
|
|
String suffix = attrName.getSuffix();
|
|
|
|
switch (attr) { // frequently used attributes first
|
|
case (ATTR_EXTENSIONS):
|
|
if (suffix == null) {
|
|
return(extensions);
|
|
} else {
|
|
if (extensions == null) {
|
|
return null;
|
|
} else {
|
|
return(extensions.get(suffix));
|
|
}
|
|
}
|
|
case (ATTR_SUBJECT):
|
|
if (suffix == null) {
|
|
return(subject);
|
|
} else {
|
|
return(getX500Name(suffix, false));
|
|
}
|
|
case (ATTR_ISSUER):
|
|
if (suffix == null) {
|
|
return(issuer);
|
|
} else {
|
|
return(getX500Name(suffix, true));
|
|
}
|
|
case (ATTR_KEY):
|
|
if (suffix == null) {
|
|
return(pubKey);
|
|
} else {
|
|
return(pubKey.get(suffix));
|
|
}
|
|
case (ATTR_ALGORITHM):
|
|
if (suffix == null) {
|
|
return(algId);
|
|
} else {
|
|
return(algId.get(suffix));
|
|
}
|
|
case (ATTR_VALIDITY):
|
|
if (suffix == null) {
|
|
return(interval);
|
|
} else {
|
|
return(interval.get(suffix));
|
|
}
|
|
case (ATTR_VERSION):
|
|
if (suffix == null) {
|
|
return(version);
|
|
} else {
|
|
return(version.get(suffix));
|
|
}
|
|
case (ATTR_SERIAL):
|
|
if (suffix == null) {
|
|
return(serialNum);
|
|
} else {
|
|
return(serialNum.get(suffix));
|
|
}
|
|
case (ATTR_ISSUER_ID):
|
|
return(issuerUniqueId);
|
|
case (ATTR_SUBJECT_ID):
|
|
return(subjectUniqueId);
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/*
|
|
* Get the Issuer or Subject name
|
|
*/
|
|
private Object getX500Name(String name, boolean getIssuer)
|
|
throws IOException {
|
|
if (name.equalsIgnoreCase(X509CertInfo.DN_NAME)) {
|
|
return getIssuer ? issuer : subject;
|
|
} else if (name.equalsIgnoreCase("x500principal")) {
|
|
return getIssuer ? issuer.asX500Principal()
|
|
: subject.asX500Principal();
|
|
} else {
|
|
throw new IOException("Attribute name not recognized.");
|
|
}
|
|
}
|
|
|
|
/*
|
|
* This routine unmarshals the certificate information.
|
|
*/
|
|
private void parse(DerValue val)
|
|
throws CertificateParsingException, IOException {
|
|
DerInputStream in;
|
|
DerValue tmp;
|
|
|
|
if (val.tag != DerValue.tag_Sequence) {
|
|
throw new CertificateParsingException("signed fields invalid");
|
|
}
|
|
rawCertInfo = val.toByteArray();
|
|
|
|
in = val.data;
|
|
|
|
// Version
|
|
tmp = in.getDerValue();
|
|
if (tmp.isContextSpecific((byte)0)) {
|
|
version = new CertificateVersion(tmp);
|
|
tmp = in.getDerValue();
|
|
}
|
|
|
|
// Serial number ... an integer
|
|
serialNum = new CertificateSerialNumber(tmp);
|
|
|
|
// Algorithm Identifier
|
|
algId = new CertificateAlgorithmId(in);
|
|
|
|
// Issuer name
|
|
issuer = new X500Name(in);
|
|
if (issuer.isEmpty()) {
|
|
throw new CertificateParsingException(
|
|
"Empty issuer DN not allowed in X509Certificates");
|
|
}
|
|
|
|
// validity: SEQUENCE { start date, end date }
|
|
interval = new CertificateValidity(in);
|
|
|
|
// subject name
|
|
subject = new X500Name(in);
|
|
if ((version.compare(CertificateVersion.V1) == 0) &&
|
|
subject.isEmpty()) {
|
|
throw new CertificateParsingException(
|
|
"Empty subject DN not allowed in v1 certificate");
|
|
}
|
|
|
|
// public key
|
|
pubKey = new CertificateX509Key(in);
|
|
|
|
// If more data available, make sure version is not v1.
|
|
if (in.available() != 0) {
|
|
if (version.compare(CertificateVersion.V1) == 0) {
|
|
throw new CertificateParsingException(
|
|
"no more data allowed for version 1 certificate");
|
|
}
|
|
} else {
|
|
return;
|
|
}
|
|
|
|
// Get the issuerUniqueId if present
|
|
tmp = in.getDerValue();
|
|
if (tmp.isContextSpecific((byte)1)) {
|
|
issuerUniqueId = new UniqueIdentity(tmp);
|
|
if (in.available() == 0)
|
|
return;
|
|
tmp = in.getDerValue();
|
|
}
|
|
|
|
// Get the subjectUniqueId if present.
|
|
if (tmp.isContextSpecific((byte)2)) {
|
|
subjectUniqueId = new UniqueIdentity(tmp);
|
|
if (in.available() == 0)
|
|
return;
|
|
tmp = in.getDerValue();
|
|
}
|
|
|
|
// Get the extensions.
|
|
if (version.compare(CertificateVersion.V3) != 0) {
|
|
throw new CertificateParsingException(
|
|
"Extensions not allowed in v2 certificate");
|
|
}
|
|
if (tmp.isConstructed() && tmp.isContextSpecific((byte)3)) {
|
|
extensions = new CertificateExtensions(tmp.data);
|
|
}
|
|
|
|
// verify X.509 V3 Certificate
|
|
verifyCert(subject, extensions);
|
|
|
|
}
|
|
|
|
/*
|
|
* Verify if X.509 V3 Certificate is compliant with RFC 3280.
|
|
*/
|
|
private void verifyCert(X500Name subject,
|
|
CertificateExtensions extensions)
|
|
throws CertificateParsingException, IOException {
|
|
|
|
// if SubjectName is empty, check for SubjectAlternativeNameExtension
|
|
if (subject.isEmpty()) {
|
|
if (extensions == null) {
|
|
throw new CertificateParsingException("X.509 Certificate is " +
|
|
"incomplete: subject field is empty, and certificate " +
|
|
"has no extensions");
|
|
}
|
|
SubjectAlternativeNameExtension subjectAltNameExt = null;
|
|
SubjectAlternativeNameExtension extValue = null;
|
|
GeneralNames names = null;
|
|
try {
|
|
subjectAltNameExt = (SubjectAlternativeNameExtension)
|
|
extensions.get(SubjectAlternativeNameExtension.NAME);
|
|
names = subjectAltNameExt.get(
|
|
SubjectAlternativeNameExtension.SUBJECT_NAME);
|
|
} catch (IOException e) {
|
|
throw new CertificateParsingException("X.509 Certificate is " +
|
|
"incomplete: subject field is empty, and " +
|
|
"SubjectAlternativeName extension is absent");
|
|
}
|
|
|
|
// SubjectAlternativeName extension is empty or not marked critical
|
|
if (names == null || names.isEmpty()) {
|
|
throw new CertificateParsingException("X.509 Certificate is " +
|
|
"incomplete: subject field is empty, and " +
|
|
"SubjectAlternativeName extension is empty");
|
|
} else if (subjectAltNameExt.isCritical() == false) {
|
|
throw new CertificateParsingException("X.509 Certificate is " +
|
|
"incomplete: SubjectAlternativeName extension MUST " +
|
|
"be marked critical when subject field is empty");
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Marshal the contents of a "raw" certificate into a DER sequence.
|
|
*/
|
|
private void emit(DerOutputStream out)
|
|
throws CertificateException, IOException {
|
|
DerOutputStream tmp = new DerOutputStream();
|
|
|
|
// version number, iff not V1
|
|
version.encode(tmp);
|
|
|
|
// Encode serial number, issuer signing algorithm, issuer name
|
|
// and validity
|
|
serialNum.encode(tmp);
|
|
algId.encode(tmp);
|
|
|
|
if ((version.compare(CertificateVersion.V1) == 0) &&
|
|
(issuer.toString() == null))
|
|
throw new CertificateParsingException(
|
|
"Null issuer DN not allowed in v1 certificate");
|
|
|
|
issuer.encode(tmp);
|
|
interval.encode(tmp);
|
|
|
|
// Encode subject (principal) and associated key
|
|
if ((version.compare(CertificateVersion.V1) == 0) &&
|
|
(subject.toString() == null))
|
|
throw new CertificateParsingException(
|
|
"Null subject DN not allowed in v1 certificate");
|
|
subject.encode(tmp);
|
|
pubKey.encode(tmp);
|
|
|
|
// Encode issuerUniqueId & subjectUniqueId.
|
|
if (issuerUniqueId != null) {
|
|
issuerUniqueId.encode(tmp, DerValue.createTag(DerValue.TAG_CONTEXT,
|
|
false,(byte)1));
|
|
}
|
|
if (subjectUniqueId != null) {
|
|
subjectUniqueId.encode(tmp, DerValue.createTag(DerValue.TAG_CONTEXT,
|
|
false,(byte)2));
|
|
}
|
|
|
|
// Write all the extensions.
|
|
if (extensions != null) {
|
|
extensions.encode(tmp);
|
|
}
|
|
|
|
// Wrap the data; encoding of the "raw" cert is now complete.
|
|
out.write(DerValue.tag_Sequence, tmp);
|
|
}
|
|
|
|
/**
|
|
* Returns the integer attribute number for the passed attribute name.
|
|
*/
|
|
private int attributeMap(String name) {
|
|
Integer num = map.get(name);
|
|
if (num == null) {
|
|
return 0;
|
|
}
|
|
return num.intValue();
|
|
}
|
|
|
|
/**
|
|
* Set the version number of the certificate.
|
|
*
|
|
* @params val the Object class value for the Extensions
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setVersion(Object val) throws CertificateException {
|
|
if (!(val instanceof CertificateVersion)) {
|
|
throw new CertificateException("Version class type invalid.");
|
|
}
|
|
version = (CertificateVersion)val;
|
|
}
|
|
|
|
/**
|
|
* Set the serial number of the certificate.
|
|
*
|
|
* @params val the Object class value for the CertificateSerialNumber
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setSerialNumber(Object val) throws CertificateException {
|
|
if (!(val instanceof CertificateSerialNumber)) {
|
|
throw new CertificateException("SerialNumber class type invalid.");
|
|
}
|
|
serialNum = (CertificateSerialNumber)val;
|
|
}
|
|
|
|
/**
|
|
* Set the algorithm id of the certificate.
|
|
*
|
|
* @params val the Object class value for the AlgorithmId
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setAlgorithmId(Object val) throws CertificateException {
|
|
if (!(val instanceof CertificateAlgorithmId)) {
|
|
throw new CertificateException(
|
|
"AlgorithmId class type invalid.");
|
|
}
|
|
algId = (CertificateAlgorithmId)val;
|
|
}
|
|
|
|
/**
|
|
* Set the issuer name of the certificate.
|
|
*
|
|
* @params val the Object class value for the issuer
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setIssuer(Object val) throws CertificateException {
|
|
if (!(val instanceof X500Name)) {
|
|
throw new CertificateException(
|
|
"Issuer class type invalid.");
|
|
}
|
|
issuer = (X500Name)val;
|
|
}
|
|
|
|
/**
|
|
* Set the validity interval of the certificate.
|
|
*
|
|
* @params val the Object class value for the CertificateValidity
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setValidity(Object val) throws CertificateException {
|
|
if (!(val instanceof CertificateValidity)) {
|
|
throw new CertificateException(
|
|
"CertificateValidity class type invalid.");
|
|
}
|
|
interval = (CertificateValidity)val;
|
|
}
|
|
|
|
/**
|
|
* Set the subject name of the certificate.
|
|
*
|
|
* @params val the Object class value for the Subject
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setSubject(Object val) throws CertificateException {
|
|
if (!(val instanceof X500Name)) {
|
|
throw new CertificateException(
|
|
"Subject class type invalid.");
|
|
}
|
|
subject = (X500Name)val;
|
|
}
|
|
|
|
/**
|
|
* Set the public key in the certificate.
|
|
*
|
|
* @params val the Object class value for the PublicKey
|
|
* @exception CertificateException on invalid data.
|
|
*/
|
|
private void setKey(Object val) throws CertificateException {
|
|
if (!(val instanceof CertificateX509Key)) {
|
|
throw new CertificateException(
|
|
"Key class type invalid.");
|
|
}
|
|
pubKey = (CertificateX509Key)val;
|
|
}
|
|
|
|
/**
|
|
* Set the Issuer Unique Identity in the certificate.
|
|
*
|
|
* @params val the Object class value for the IssuerUniqueId
|
|
* @exception CertificateException
|
|
*/
|
|
private void setIssuerUniqueId(Object val) throws CertificateException {
|
|
if (version.compare(CertificateVersion.V2) < 0) {
|
|
throw new CertificateException("Invalid version");
|
|
}
|
|
if (!(val instanceof UniqueIdentity)) {
|
|
throw new CertificateException(
|
|
"IssuerUniqueId class type invalid.");
|
|
}
|
|
issuerUniqueId = (UniqueIdentity)val;
|
|
}
|
|
|
|
/**
|
|
* Set the Subject Unique Identity in the certificate.
|
|
*
|
|
* @params val the Object class value for the SubjectUniqueId
|
|
* @exception CertificateException
|
|
*/
|
|
private void setSubjectUniqueId(Object val) throws CertificateException {
|
|
if (version.compare(CertificateVersion.V2) < 0) {
|
|
throw new CertificateException("Invalid version");
|
|
}
|
|
if (!(val instanceof UniqueIdentity)) {
|
|
throw new CertificateException(
|
|
"SubjectUniqueId class type invalid.");
|
|
}
|
|
subjectUniqueId = (UniqueIdentity)val;
|
|
}
|
|
|
|
/**
|
|
* Set the extensions in the certificate.
|
|
*
|
|
* @params val the Object class value for the Extensions
|
|
* @exception CertificateException
|
|
*/
|
|
private void setExtensions(Object val) throws CertificateException {
|
|
if (version.compare(CertificateVersion.V3) < 0) {
|
|
throw new CertificateException("Invalid version");
|
|
}
|
|
if (!(val instanceof CertificateExtensions)) {
|
|
throw new CertificateException(
|
|
"Extensions class type invalid.");
|
|
}
|
|
extensions = (CertificateExtensions)val;
|
|
}
|
|
}
|